sysmon3

[strengthnotes]

Just FYI if these might help you, here are my ELSA parsers for sysmon3 that I have been working with. Event 1 and Event 8. Moved them to separate file as I was not sure how to have separate "versions" of the parsers in ELSA. Thanks

[defensivedepth]

Fantastic, I was just gearing up to tweak my ELSA parsers... I will look over these this week... Thanks!

[strengthnotes]

Sounds great look forward to the final version. Just be aware I am new to ELSA parsers and this was my learning project.

[defensivedepth]

Deployed into test and looks good... Going into limited prod now. I have edited a couple files on my side to divide out v1 vs. v3 events, and will submit the updated v3 parser to SO. I did not test ID 8.

Thanks again for submitting these changes!

[strengthnotes]

Sounds good. So is this something where we could have both sysmon1 and sysmon3 in the same file parsing when it goes to SO, looks like latest PR only has 3 or not worth messing with sysmon1 at this point?

About event id 8 I noticed running meterpreter migrate sysmon ID 8 was fired every time and that is why wrote it in hopes of other tools behaving in similar way. I want to research more to see if I see this in other scenarios and verify my ELSA sql fields are done properly, but might be worth adding to SO as low volume event and I have OSSEC parsers for it.

Should I create another pull request directly to SO if I would like to see event ID 8 added in the future?

[defensivedepth]

There are a couple options to have v1 & v3 parsers at the same time, and both of them take a bit more time that I have right now - This, coupled with the fact that for a number of reasons, I don't think v1 is widely deployed, I am thinking that we just go with v3.

For id 8: It sounds like a great option to have, especially it is a high SNR indicator (which it sounds like it could be). If you think it is at a good place to release, then yes, I would suggest creating a PR directly to SO, and creating an accompanying Issue, so that @dougburks can prioritize it. I would also suggest that you create a new class called something like SYSMON_REMTHREAD, or throw it under the SYSMON_PROCESS class if you think it would work. You could also contribute the OSSEC decoder to the OSSEC project, as I have done the same with Sysmon id 1 decoder + rules.

If you would like some extra help, let me know, and I will see what I can do. It would be great to have more parsers, decoders & rulesets for Sysmon--thanks for contributing!

[defensivedepth]

@jtaylo78 I just deployed your Remote Thread parser and I like it alot... Have you been able to edit it for Sysmon 3.1 compatibility? If you are able to do this, I would definitively like to see this included in with the other Sysmon parsers for SO.... Also, any chance you can post your OSSEC parser as well?

This is some pretty cool stuff, thanks again.

[strengthnotes]

Good deal... I just noticed that sysmon 3.1 came out today I was going to take a look at it next week and could edit the the Remote Thread process if you don't get to it first.

I was going to submit a PR today to SO but I started wondering if I should change sourceprocessguid to just processguid and sourceimage to image to match your other parser, do you have a preference or thoughts on that? It is sometimes nice to do searches without class and pull up image:blah in any class.

The problem with my OSSEC parsers is I was having my windows events stop alerting when I added yours so I ended up writing my own without a parent but they should be here if they are any help if you don't see it let me know.
https://github.com/jtaylo78/Sysmon_OSSEC

On a somewhat unrelated note ELSA scanmd5 you ever use that any thoughts about using that with sysmon to do a transform on all unique over last 24 hours for example? Doesn't work for me and was thinking about digging in and seeing if it was worthwhile.

Have you ever played with the If First Time Seen in OSSEC on any of these parsers probably be crazy but I have been debating it?

Yes I am excited about SO and sysmon I think there is some real potential glad you put it together.

[defensivedepth]

Ya, I probably won't get to the RT 3.1 parser first, so have at it!

My preference would be to have a separate class.

Thanks for the OSSEC parser, I will check it out...

I think it would be pretty cool to use the scanmd5 transform, but it appears to be having stability problems, and I think I would hit the API request max pretty fast....

RE: First Time Seen, no I haven't. Like you should, would probably be pretty high volume....

Thanks again.