search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Adding support for new sysmon events #3458

Closed 72nomada closed 2 years ago

72nomada commented 2 years ago
Target version Related issue Related PR
4.4.0 https://github.com/wazuh/wazuh-qa/issues/3396 https://github.com/wazuh/wazuh/pull/13594

This issue is part of the global addition of APT emulation rules.

Rebits commented 2 years ago

Tester review

Tester PR commit
@Rebits 1c5fe38

Testing environment

OS OS version Deployment Image/AMI
Ubuntu 22 EC2 ami-003530de8839921c4
Windows Server 2022 EC2 ami-047e29beecff33db0

Tested packages

OS Package
Ubuntu Manager
Windows Server Agent

Status

Conclusion :yellow_circle:

Improvements have been suggested both in the documentation and in the ruleset.

Rebits commented 2 years ago

Testing results :yellow_circle:

Preconditions
Change windows base rules In order to test new Sysmon rules we are required to change the windows base rule (`0575-win-base_rules.xml`) as follows: ``` \.+ no_full_log Group of windows rules. json ``` This allows running logtest tools for windows events
SysmonSimulator Tool For Sysmon simulation of some events, we are going to use [SysmonSimulator](https://github.com/ScarredMonk/SysmonSimulator) tool. Used steps for the respective event are specified in the [Understanding Sysmon Events using SysmonSimulator](https://rootdse.org/posts/understanding-sysmon-events/) blog.
Sysmon - Event 1 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 1 ```
Sysmon event ``` 2022 Oct 14 08:38:35 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T08:38:34.4376064Z","eventRecordID":"26","processID":"4488","threadID":"3380","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: SysmonSimulator ProcessCreate Simulation for WMIC.exe\r\nUtcTime: 2022-10-14 08:38:34.436\r\nProcessGuid: {3bd4f97a-200a-6349-ca01-000000009600}\r\nProcessId: 2212\r\nImage: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nCurrentDirectory: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nLogonGuid: {3bd4f97a-1e51-6349-6e29-040000000000}\r\nLogonId: 0x4296E\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=6E7CA64D4777CACA3B0CF45325346DB7\r\nParentProcessGuid: {3bd4f97a-200a-6349-c901-000000009600}\r\nParentProcessId: 6016\r\nParentImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nParentCommandLine: \"C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\" -eid 1\r\nParentUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator ProcessCreate Simulation for WMIC.exe","utcTime":"2022-10-14 08:38:34.436","processGuid":"{3bd4f97a-200a-6349-ca01-000000009600}","processId":"2212","image":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"WMI Commandline Utility","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"wmic.exe","commandLine":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","currentDirectory":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\","user":"EC2AMAZ-N9OLJ1L\\\\qa","logonGuid":"{3bd4f97a-1e51-6349-6e29-040000000000}","logonId":"0x4296e","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=6E7CA64D4777CACA3B0CF45325346DB7","parentProcessGuid":"{3bd4f97a-200a-6349-c901-000000009600}","parentProcessId":"6016","parentImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","parentCommandLine":"\\\"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe\\\" -eid 1","parentUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61603' level: '0' description: 'Sysmon - Event 1: Process creation WMI Commandline Utility' groups: '['windows', 'sysmon', 'sysmon_event1']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 2 :yellow_circle: Rule use `win.eventdata.sourceImage` instead of `win.eventdata.image` making the description of the rule incomplete.
Event generation command ``` (Get-Item "C:\a.exe").creationTime = '01/11/2002 06:40:36' ```
Sysmon event ``` 2022 Oct 13 15:46:24 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"2","version":"5","level":"4","task":"2","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T15:46:23.3398124Z","eventRecordID":"8","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"File creation time changed:\r\nRuleName: T1099\r\nUtcTime: 2022-10-13 15:46:23.339\r\nProcessGuid: {3bd4f97a-2e65-6348-7001-000000009500}\r\nProcessId: 1700\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nTargetFilename: C:\\a.exe\r\nCreationUtcTime: 2002-01-11 06:40:36.000\r\nPreviousCreationUtcTime: 2022-10-13 15:45:19.523\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"T1099","utcTime":"2022-10-13 15:46:23.339","processGuid":"{3bd4f97a-2e65-6348-7001-000000009500}","processId":"1700","image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","targetFilename":"C:\\\\a.exe","creationUtcTime":"2002-01-11 06:40:36.000","previousCreationUtcTime":"2022-10-13 15:45:19.523","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert The event field `win.eventdata.sourceImage` do not exists in this type of Sysmon event. Instead, it is obatined from `win.eventdata.source` field. This make the description of the alert incomplete. ``` **Phase 3: Completed filtering (rules). id: '61604' level: '0' description: 'Sysmon - Event 2: changed file C:\\a.exe creation time ' groups: '['windows', 'sysmon', 'sysmon_event2']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 3 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 3 ```
Sysmon event ``` 2022 Oct 13 16:10:18 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:10:17.4040762Z","eventRecordID":"13","processID":"2832","threadID":"604","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: SysmonSimulator Network connect Simulation for NMAP\r\nUtcTime: 2022-10-13 16:10:14.480\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 2704\r\nImage: unknown process>\r\nUser: -\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.31.2.245\r\nSourceHostname: EC2AMAZ-N9OLJ1L.ec2.internal\r\nSourcePort: 50055\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 45.33.32.156\r\nDestinationHostname: scanme.nmap.org\r\nDestinationPort: 31337\r\nDestinationPortName: -\""},"eventdata":{"ruleName":"SysmonSimulator Network connect Simulation for NMAP","utcTime":"2022-10-13 16:10:14.480","processGuid":"{00000000-0000-0000-0000-000000000000}","processId":"2704","image":"<unknown process>","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"172.31.2.245","sourceHostname":"EC2AMAZ-N9OLJ1L.ec2.internal","sourcePort":"50055","destinationIsIpv6":"false","destinationIp":"45.33.32.156","destinationHostname":"scanme.nmap.org","destinationPort":"31337"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61605' level: '0' description: 'Sysmon - Event 3: Network connection to 45.33.32.156:31337 by <unknown process>' groups: '['windows', 'sysmon', 'sysmon_event3']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 4 :green_circle:
Event generation command ``` .\Sysmon64.exe -u ```
Sysmon event ``` 2022 Oct 14 08:44:47 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"4","version":"3","level":"4","task":"4","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T08:44:46.0894329Z","eventRecordID":"31","processID":"4488","threadID":"5856","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Sysmon service state changed:\r\nUtcTime: 2022-10-14 08:44:46.075\r\nState: Stopped\r\nVersion: 14.1\r\nSchemaVersion: 4.83\""},"eventdata":{"utcTime":"2022-10-14 08:44:46.075","state":"Stopped","version":"14.1","schemaVersion":"4.83"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61606' level: '0' description: 'Sysmon - Event 4: Sysmon service state changed to "Stopped"' groups: '['windows', 'sysmon', 'sysmon_event4']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 5 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 5 ```
Sysmon event ``` 2022 Oct 13 16:15:45 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"5","version":"3","level":"4","task":"5","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:15:44.3070779Z","eventRecordID":"19","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process terminated:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:15:44.296\r\nProcessGuid: {3bd4f97a-39b0-6348-0b02-000000009500}\r\nProcessId: 6560\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:15:44.296","processGuid":"{3bd4f97a-39b0-6348-0b02-000000009500}","processId":"6560","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61607' level: '0' description: 'Sysmon - Event 5: Process terminated C:\\Windows\\System32\\wbem\\WmiPrvSE.exe' groups: '['windows', 'sysmon', 'sysmon_event5']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 6 :green_circle:
Event generation command For Driver loaded event, we are going to use mimikatz as follows ``` mimikatz # !+ [*] 'mimidrv' service not present [+] 'mimidrv' service successfully registered [+] 'mimidrv' service ACL to everyone [+] 'mimidrv' service started mimikatz # ```
Sysmon event ``` 2022 Oct 14 09:13:34 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"6","version":"4","level":"4","task":"6","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T09:13:33.5914067Z","eventRecordID":"54","processID":"5184","threadID":"5444","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Driver loaded:\r\nRuleName: -\r\nUtcTime: 2022-10-14 09:13:33.505\r\nImageLoaded: C:\\Users\\qa\\Downloads\\mimikatz_trunk\\x64\\mimidrv.sys\r\nHashes: MD5=3E528207CA374123F63789195A4AEDDE\r\nSigned: false\r\nSignature: -\r\nSignatureStatus: Expired\""},"eventdata":{"utcTime":"2022-10-14 09:13:33.505","imageLoaded":"C:\\\\Users\\\\qa\\\\Downloads\\\\mimikatz_trunk\\\\x64\\\\mimidrv.sys","hashes":"MD5=3E528207CA374123F63789195A4AEDDE","signed":"false","signatureStatus":"Expired"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61608' level: '0' description: 'Sysmon - Event 6: Driver loaded C:\\Users\\qa\\Downloads\\mimikatz_trunk\\x64\\mimidrv.sys' groups: '['windows', 'sysmon', 'sysmon_event6']' firedtimes: '1' mail: 'False' ```
Sysmon - Even 7 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 7 ```
Sysmon event ``` 2022 Oct 13 16:21:43 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"7","version":"3","level":"4","task":"7","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:21:42.2103725Z","eventRecordID":"70","processID":"2832","threadID":"3620","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Image loaded:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:21:42.128\r\nProcessGuid: {3bd4f97a-3b15-6348-2302-000000009500}\r\nProcessId: 1464\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nImageLoaded: C:\\Windows\\System32\\kernel.appcore.dll\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: AppModel API Host\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: kernel.appcore.dll\r\nHashes: MD5=BC9743DC5ED027A2946426452844F4F3\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:21:42.128","processGuid":"{3bd4f97a-3b15-6348-2302-000000009500}","processId":"1464","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","imageLoaded":"C:\\\\Windows\\\\System32\\\\kernel.appcore.dll","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"AppModel API Host","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"kernel.appcore.dll","hashes":"MD5=BC9743DC5ED027A2946426452844F4F3","signed":"true","signature":"Microsoft Windows","signatureStatus":"Valid","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61609' level: '0' description: 'Sysmon - Event 7: Image C:\\Windows\\System32\\kernel.appcore.dll loaded by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event7']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 8 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 8 ```
Sysmon event ``` 2022 Oct 13 16:23:00 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:22:59.7277273Z","eventRecordID":"94","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:22:59.722\r\nSourceProcessGuid: {3bd4f97a-3b63-6348-2502-000000009500}\r\nSourceProcessId: 4888\r\nSourceImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetProcessGuid: {3bd4f97a-3b63-6348-2602-000000009500}\r\nTargetProcessId: 1432\r\nTargetImage: unknown process>\r\nNewThreadId: 2872\r\nStartAddress: 0x0000000000100000\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: EC2AMAZ-N9OLJ1L\\qa\r\nTargetUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:22:59.722","sourceProcessGuid":"{3bd4f97a-3b63-6348-2502-000000009500}","sourceProcessId":"4888","sourceImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetProcessGuid":"{3bd4f97a-3b63-6348-2602-000000009500}","targetProcessId":"1432","targetImage":"<unknown process>","newThreadId":"2872","startAddress":"0x0000000000100000","sourceUser":"EC2AMAZ-N9OLJ1L\\\\qa","targetUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61610' level: '0' description: 'Sysmon - Event 8: CreateRemoteThread by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe on <unknown process>, possible process injection' groups: '['windows', 'sysmon', 'sysmon_event8']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 9 :yellow_circle: Incomplete description for using `win.eventdata.sourceImage` instead of `win.eventdata.image`
Event generation command ``` .\SysmonSimulator.exe -eid 9 ```
Sysmon event ``` 2022 Oct 13 16:26:28 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"9","version":"2","level":"4","task":"9","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:26:27.8096944Z","eventRecordID":"152","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:26:27.803\r\nProcessGuid: {3bd4f97a-3c33-6348-3002-000000009500}\r\nProcessId: 4720\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nDevice: \\Device\\HarddiskVolume1\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:26:27.803","processGuid":"{3bd4f97a-3c33-6348-3002-000000009500}","processId":"4720","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","device":"\\\\Device\\\\HarddiskVolume1","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert Incomplete description. Use `image` field instead ``` **Phase 3: Completed filtering (rules). id: '61611' level: '0' description: 'Sysmon - Event 9: RawAccessRead by ' groups: '['windows', 'sysmon', 'sysmon_event9']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 10 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 10 ```
Sysmon event ``` 2022 Oct 13 16:28:34 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:28:33.7157779Z","eventRecordID":"182","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:28:33.705\r\nSourceProcessGUID: {3bd4f97a-3cb1-6348-3402-000000009500}\r\nSourceProcessId: 2792\r\nSourceThreadId: 5744\r\nSourceImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetProcessGUID: {3bd4f97a-3cb1-6348-3502-000000009500}\r\nTargetProcessId: 6908\r\nTargetImage: C:\\Windows\\System32\\notepad.exe\r\nGrantedAccess: 0x1FFFFF\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9f3b4|C:\\Windows\\System32\\KERNELBASE.dll+2ad6e|C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe+19a9|C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe+3007|C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe+36a0|C:\\Windows\\System32\\KERNEL32.DLL+14ed0|C:\\Windows\\SYSTEM32\\ntdll.dll+7e39b\r\nSourceUser: EC2AMAZ-N9OLJ1L\\qa\r\nTargetUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:28:33.705","sourceProcessGUID":"{3bd4f97a-3cb1-6348-3402-000000009500}","sourceProcessId":"2792","sourceThreadId":"5744","sourceImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetProcessGUID":"{3bd4f97a-3cb1-6348-3502-000000009500}","targetProcessId":"6908","targetImage":"C:\\\\Windows\\\\System32\\\\notepad.exe","grantedAccess":"0x1fffff","callTrace":"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9f3b4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2ad6e|C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe+19a9|C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe+3007|C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe+36a0|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+14ed0|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+7e39b","sourceUser":"EC2AMAZ-N9OLJ1L\\\\qa","targetUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61612' level: '0' description: 'Sysmon - Event 10: C:\\Windows\\System32\\notepad.exe process accessed by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_10']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 11 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 11 ```
Sysmon event ``` 2022 Oct 13 16:30:21 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:30:20.1256391Z","eventRecordID":"234","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:30:20.121\r\nProcessGuid: {3bd4f97a-3d1c-6348-3e02-000000009500}\r\nProcessId: 3640\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetFilename: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\NewFile.bat\r\nCreationUtcTime: 2022-10-13 16:30:20.121\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:30:20.121","processGuid":"{3bd4f97a-3d1c-6348-3e02-000000009500}","processId":"3640","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetFilename":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\NewFile.bat","creationUtcTime":"2022-10-13 16:30:20.121","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61613' level: '0' description: 'Sysmon - Event 11: FileCreate by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_11']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 12 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 12 ```
Sysmon event ``` 2022 Oct 13 16:31:59 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:31:58.0692348Z","eventRecordID":"261","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: -\r\nEventType: CreateKey\r\nUtcTime: 2022-10-13 16:31:58.064\r\nProcessGuid: {3bd4f97a-3d7e-6348-4102-000000009500}\r\nProcessId: 3076\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetObject: HKU\\S-1-5-21-3903952831-1299841522-690912765-1001\\TestSysmon\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"eventType":"CreateKey","utcTime":"2022-10-13 16:31:58.064","processGuid":"{3bd4f97a-3d7e-6348-4102-000000009500}","processId":"3076","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetObject":"HKU\\\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\TestSysmon","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61614' level: '0' description: 'Sysmon - Event 12: RegistryEvent CreateKey on HKU\\S-1-5-21-3903952831-1299841522-690912765-1001\\TestSysmon by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_12']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 13 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 13 ```
Sysmon event ``` 2022 Oct 13 16:31:59 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:31:58.0715282Z","eventRecordID":"264","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2022-10-13 16:31:58.064\r\nProcessGuid: {3bd4f97a-3d7e-6348-4102-000000009500}\r\nProcessId: 3076\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\Device\\HarddiskVolume1\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nDetails: Binary Data\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"eventType":"SetValue","utcTime":"2022-10-13 16:31:58.064","processGuid":"{3bd4f97a-3d7e-6348-4102-000000009500}","processId":"3076","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetObject":"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\\\\\Device\\\\HarddiskVolume1\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","details":"Binary Data","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61615' level: '0' description: 'Sysmon - Event 13: RegistryEvent SetValue on HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\Device\\HarddiskVolume1\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_13']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 14 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 14 ```
Sysmon event ``` 2022 Oct 13 16:34:13 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"14","version":"2","level":"4","task":"14","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:34:12.3030051Z","eventRecordID":"286","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Registry object renamed:\r\nRuleName: -\r\nEventType: RenameKey\r\nUtcTime: 2022-10-13 16:34:12.290\r\nProcessGuid: {3bd4f97a-3e04-6348-4202-000000009500}\r\nProcessId: 7108\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetObject: HKU\\S-1-5-21-3903952831-1299841522-690912765-1001\\NewRegistrySysmonTesting\r\nNewName: HKU\\S-1-5-21-3903952831-1299841522-690912765-1001\\RegistrySysmonTestingRenamed\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"eventType":"RenameKey","utcTime":"2022-10-13 16:34:12.290","processGuid":"{3bd4f97a-3e04-6348-4202-000000009500}","processId":"7108","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetObject":"HKU\\\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\NewRegistrySysmonTesting","newName":"HKU\\\\S-1-5-21-3903952831-1299841522-690912765-1001\\\\RegistrySysmonTestingRenamed","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61616' level: '0' description: 'Sysmon - Event 14: RegistryEvent (Key and Value Rename) by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_14']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 15 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 14 ```
Sysmon event ``` 2022 Oct 13 16:35:41 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"15","version":"2","level":"4","task":"15","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:35:39.9117454Z","eventRecordID":"321","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"File stream created:\r\nRuleName: -\r\nUtcTime: 2022-10-13 16:35:39.909\r\nProcessGuid: {3bd4f97a-3e5b-6348-4902-000000009500}\r\nProcessId: 2984\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetFilename: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\Streamfile.txt:SysmonStream\r\nCreationUtcTime: 2022-10-13 16:35:39.895\r\nHash: MD5=76992C68A8F641610E820145CA9D606A\r\nContents: Sysmon simulator has written in ADS SysmonStream of Streamfile.txt\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-13 16:35:39.909","processGuid":"{3bd4f97a-3e5b-6348-4902-000000009500}","processId":"2984","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetFilename":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\Streamfile.txt:SysmonStream","creationUtcTime":"2022-10-13 16:35:39.895","hash":"MD5=76992C68A8F641610E820145CA9D606A","contents":"Sysmon simulator has written in ADS SysmonStream of Streamfile.txt","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` description: 'Sysmon - Event 15: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\Streamfile.txt:SysmonStream FileCreateStreamHash by process C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event_15']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 16 :green_circle:
Event generation command ``` .\Sysmon64.exe -c sysconfig.xml ```
Sysmon event ``` 2022 Oct 13 15:37:47 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"16","version":"3","level":"4","task":"16","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T15:37:46.1165459Z","eventRecordID":"6","processID":"4116","threadID":"4196","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Sysmon config state changed:\r\nUtcTime: 2022-10-13 15:37:46.115\r\nConfiguration: C:\\Users\\qa\\Downloads\\Sysmon\\sysconfig.xml\r\nConfigurationFileHash: SHA256=6BBD943FD132A748906E13909208A234E3D6551C48BD3EF655A43A5F66FA4F3F\""},"eventdata":{"utcTime":"2022-10-13 15:37:46.115","configuration":"C:\\\\Users\\\\qa\\\\Downloads\\\\Sysmon\\\\sysconfig.xml","configurationFileHash":"SHA256=6BBD943FD132A748906E13909208A234E3D6551C48BD3EF655A43A5F66FA4F3F"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61644' level: '0' description: 'Sysmon - Event 16: Sysmon configuration changed using file C:\\Users\\qa\\Downloads\\Sysmon\\sysconfig.xml' groups: '['windows', 'sysmon', 'sysmon_event_16']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 17 :green_circle:
Event generation command ``` .\Sysmon64.exe -c sysconfig.xml ```
Sysmon event ``` 2022 Oct 13 16:37:53 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"17","version":"1","level":"4","task":"17","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:37:52.4327735Z","eventRecordID":"367","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-10-13 16:37:52.425\r\nProcessGuid: {3bd4f97a-3ee0-6348-4c02-000000009500}\r\nProcessId: 5500\r\nPipeName: \\sysmontestnamedpipe\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"eventType":"CreatePipe","utcTime":"2022-10-13 16:37:52.425","processGuid":"{3bd4f97a-3ee0-6348-4c02-000000009500}","processId":"5500","pipeName":"\\\\sysmontestnamedpipe","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61645' level: '0' description: 'Sysmon - Event 17: Pipe created' groups: '['windows', 'sysmon', 'sysmon_event_17']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 18 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 18 ```
Sysmon event ``` 2022 Oct 13 16:39:28 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"18","version":"1","level":"4","task":"18","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-13T16:39:27.1668501Z","eventRecordID":"397","processID":"2832","threadID":"3612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2022-10-13 16:39:27.164\r\nProcessGuid: {3bd4f97a-3f3f-6348-5802-000000009500}\r\nProcessId: 5796\r\nPipeName: \\sysmontestconnectpipe\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"eventType":"ConnectPipe","utcTime":"2022-10-13 16:39:27.164","processGuid":"{3bd4f97a-3f3f-6348-5802-000000009500}","processId":"5796","pipeName":"\\\\sysmontestconnectpipe","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61646' level: '0' description: 'Sysmon - Event 18: Pipe connected' groups: '['windows', 'sysmon', 'sysmon_event_18']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 19 :green_circle:
Event generation command ``` PS C:\Users\qa\Downloads\SysmonSimulator-Latest.exe> # Creating a new event filter >> $ServiceFilter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance() >> $ServiceFilter.QueryLanguage = 'WQL' >> $ServiceFilter.Query = "select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'" >> $ServiceFilter.Name = "ServiceFilter" >> $ServiceFilter.EventNamespace = 'root\cimv2' PS C:\Users\qa\Downloads\SysmonSimulator-Latest.exe> # Sets the intance in the namespace >> $FilterResult = $ServiceFilter.Put() >> $ServiceFilterObj = $FilterResult.Path PS C:\Users\qa\Downloads\SysmonSimulator-Latest.exe> ```
Sysmon event ``` 2022 Oct 14 09:47:32 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"19","version":"3","level":"4","task":"19","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T09:47:31.4523582Z","eventRecordID":"87","processID":"5184","threadID":"1988","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"WmiEventFilter activity detected:\r\nRuleName: -\r\nEventType: WmiFilterEvent\r\nUtcTime: 2022-10-14 09:47:31.448\r\nOperation: Modified\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nEventNamespace: \"root\\\\cimv2\"\r\nName: \"ServiceFilter\"\r\nQuery: \"select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'\"\""},"eventdata":{"eventType":"WmiFilterEvent","utcTime":"2022-10-14 09:47:31.448","operation":"Modified","user":"EC2AMAZ-N9OLJ1L\\\\qa","eventNamespace":" \\\"root\\\\\\\\cimv2\\\"","name":" \\\"ServiceFilter\\\"","query":" \\\"select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'\\\""}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61647' level: '0' description: 'Sysmon - Event 19: WmiEventFilter activity' groups: '['windows', 'sysmon', 'sysmon_event_19']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 20 :green_circle:
Event generation command ``` # Creating a new event consumer $LogConsumer = ([wmiclass]"\\.\root\subscription:LogFileEventConsumer").CreateInstance() # Set properties of consumer $LogConsumer.Name = 'ServiceConsumer' $LogConsumer.Filename = "C:\Log.log" $LogConsumer.Text = 'A change has occurred on the service: %TargetInstance.DisplayName%' # Creating a new event consumer $LogResult = $LogConsumer.Put() $LogConsumerObj = $LogResult.Path ```
Sysmon event ``` 2022 Oct 14 09:49:27 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"20","version":"3","level":"4","task":"20","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T09:49:26.8379043Z","eventRecordID":"88","processID":"5184","threadID":"812","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"WmiEventConsumer activity detected:\r\nRuleName: -\r\nEventType: WmiConsumerEvent\r\nUtcTime: 2022-10-14 09:49:26.825\r\nOperation: Created\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nName: \"ServiceConsumer\"\r\nType: Log File\r\nDestination: \"C:\\\\Log.log\"\""},"eventdata":{"eventType":"WmiConsumerEvent","utcTime":"2022-10-14 09:49:26.825","operation":"Created","user":"EC2AMAZ-N9OLJ1L\\\\qa","name":" \\\"ServiceConsumer\\\"","type":"Log File","destination":" \\\"C:\\\\\\\\Log.log\\\""}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61648' level: '0' description: 'Sysmon - Event 20: WmiEventConsumer activity' groups: '['windows', 'sysmon', 'sysmon_event_20']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 21 :green_circle:
Event generation command ``` # Creating new binder $instanceBinding = ([wmiclass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance() $instanceBinding.Filter = $ServiceFilterObj $instanceBinding.Consumer = $LogConsumerObj $result = $instanceBinding.Put() $newBinding = $result.Path ```
Sysmon event ``` 2022 Oct 14 09:51:19 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"21","version":"3","level":"4","task":"21","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T09:51:18.2421793Z","eventRecordID":"89","processID":"5184","threadID":"812","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"WmiEventConsumerToFilter activity detected:\r\nRuleName: -\r\nEventType: WmiBindingEvent\r\nUtcTime: 2022-10-14 09:51:18.232\r\nOperation: Created\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nConsumer: \"\\\\\\\\.\\\\root\\\\subscription:LogFileEventConsumer.Name=\\\"ServiceConsumer\\\"\"\r\nFilter: \"\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\"ServiceFilter\\\"\"\""},"eventdata":{"eventType":"WmiBindingEvent","utcTime":"2022-10-14 09:51:18.232","operation":"Created","user":"EC2AMAZ-N9OLJ1L\\\\qa","consumer":" \\\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription:LogFileEventConsumer.Name=\\\\\\\"ServiceConsumer\\\\\\\"\\\"","filter":" \\\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription:__EventFilter.Name=\\\\\\\"ServiceFilter\\\\\\\"\\\""}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61649' level: '0' description: 'Sysmon - Event 21: WmiEventConsumerToFilter activity' groups: '['windows', 'sysmon', 'sysmon_event_21']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 22 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 22 ```
Sysmon event ``` 2022 Oct 14 09:56:29 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"22","version":"5","level":"4","task":"22","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T09:56:28.5764598Z","eventRecordID":"99","processID":"5184","threadID":"4452","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-10-14 09:56:26.567\r\nProcessGuid: {3bd4f97a-2349-6349-6500-000000009700}\r\nProcessId: 3976\r\nQueryName: ssm.us-east-1.amazonaws.com\r\nQueryStatus: 0\r\nQueryResults: ::ffff:52.46.141.158;\r\nImage: C:\\Program Files\\Amazon\\SSM\\ssm-agent-worker.exe\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2022-10-14 09:56:26.567","processGuid":"{3bd4f97a-2349-6349-6500-000000009700}","processId":"3976","queryName":"ssm.us-east-1.amazonaws.com","queryStatus":"0","queryResults":"::ffff:52.46.141.158;","image":"C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-agent-worker.exe","user":"NT AUTHORITY\\\\SYSTEM"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61650' level: '0' description: 'Sysmon - Event 22: DNS Query event' groups: '['windows', 'sysmon', 'sysmon_event_22']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 23 :green_circle:
Event generation command It was not possible simulate this sysmon event using SymonSimulator or direct powershell commands. A custom event testing is proposed
Sysmon event ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"23","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T08:38:34.4376064Z","eventRecordID":"26","processID":"4488","threadID":"3380","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: SysmonSimulator ProcessCreate Simulation for WMIC.exe\r\nUtcTime: 2022-10-14 08:38:34.436\r\nProcessGuid: {3bd4f97a-200a-6349-ca01-000000009600}\r\nProcessId: 2212\r\nImage: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nCurrentDirectory: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nLogonGuid: {3bd4f97a-1e51-6349-6e29-040000000000}\r\nLogonId: 0x4296E\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=6E7CA64D4777CACA3B0CF45325346DB7\r\nParentProcessGuid: {3bd4f97a-200a-6349-c901-000000009600}\r\nParentProcessId: 6016\r\nParentImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nParentCommandLine: \"C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\" -eid 1\r\nParentUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator ProcessCreate Simulation for WMIC.exe","utcTime":"2022-10-14 08:38:34.436","processGuid":"{3bd4f97a-200a-6349-ca01-000000009600}","processId":"2212","image":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"WMI Commandline Utility","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"wmic.exe","commandLine":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","currentDirectory":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\","user":"EC2AMAZ-N9OLJ1L\\\\qa","logonGuid":"{3bd4f97a-1e51-6349-6e29-040000000000}","logonId":"0x4296e","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=6E7CA64D4777CACA3B0CF45325346DB7","parentProcessGuid":"{3bd4f97a-200a-6349-c901-000000009600}","parentProcessId":"6016","parentImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","parentCommandLine":"\\\"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe\\\" -eid 1","parentUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61651' level: '0' description: 'Sysmon - Event 23: File deleted and archived' groups: '['windows', 'sysmon', 'sysmon_event_23']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 24 :green_circle:
Event generation command It was not possible simulate this sysmon event using SymonSimulator or direct powershell commands. A custom event testing is proposed
Sysmon event ``` 2022 Oct 14 08:38:35 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"24","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T08:38:34.4376064Z","eventRecordID":"26","processID":"4488","threadID":"3380","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: SysmonSimulator ProcessCreate Simulation for WMIC.exe\r\nUtcTime: 2022-10-14 08:38:34.436\r\nProcessGuid: {3bd4f97a-200a-6349-ca01-000000009600}\r\nProcessId: 2212\r\nImage: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nCurrentDirectory: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nLogonGuid: {3bd4f97a-1e51-6349-6e29-040000000000}\r\nLogonId: 0x4296E\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=6E7CA64D4777CACA3B0CF45325346DB7\r\nParentProcessGuid: {3bd4f97a-200a-6349-c901-000000009600}\r\nParentProcessId: 6016\r\nParentImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nParentCommandLine: \"C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\" -eid 1\r\nParentUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator ProcessCreate Simulation for WMIC.exe","utcTime":"2022-10-14 08:38:34.436","processGuid":"{3bd4f97a-200a-6349-ca01-000000009600}","processId":"2212","image":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"WMI Commandline Utility","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"wmic.exe","commandLine":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","currentDirectory":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\","user":"EC2AMAZ-N9OLJ1L\\\\qa","logonGuid":"{3bd4f97a-1e51-6349-6e29-040000000000}","logonId":"0x4296e","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=6E7CA64D4777CACA3B0CF45325346DB7","parentProcessGuid":"{3bd4f97a-200a-6349-c901-000000009600}","parentProcessId":"6016","parentImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","parentCommandLine":"\\\"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe\\\" -eid 1","parentUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61652' level: '0' description: 'Sysmon - Event 24: Clipboard change' groups: '['windows', 'sysmon', 'sysmon_event_24']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 25 :green_circle:
Event generation command ``` .\SysmonSimulator.exe -eid 25 ```
Sysmon event ``` 2022 Oct 14 10:07:55 (EC2AMAZ-N9OLJ1L) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"25","version":"5","level":"4","task":"25","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T10:07:54.4617827Z","eventRecordID":"124","processID":"5184","threadID":"5480","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process Tampering:\r\nRuleName: SysmonSimulator ProcessTampering Simulation\r\nUtcTime: 2022-10-14 10:07:54.457\r\nProcessGuid: {3bd4f97a-34fa-6349-9b02-000000009700}\r\nProcessId: 5752\r\nImage: c:\\windows\\system32\\cmd.exe\r\nType: Image is replaced\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator ProcessTampering Simulation","utcTime":"2022-10-14 10:07:54.457","processGuid":"{3bd4f97a-34fa-6349-9b02-000000009700}","processId":"5752","image":"c:\\\\windows\\\\system32\\\\cmd.exe","type":"Image is replaced","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61653' level: '0' description: 'Sysmon - Event 25: Process tampering - Image change' groups: '['windows', 'sysmon', 'sysmon_event_25']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 26 :green_circle:
Event generation command It was not possible simulate this sysmon event using SymonSimulator or direct powershell commands. A custom event testing is proposed
Sysmon event ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"26","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T08:38:34.4376064Z","eventRecordID":"26","processID":"4488","threadID":"3380","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: SysmonSimulator ProcessCreate Simulation for WMIC.exe\r\nUtcTime: 2022-10-14 08:38:34.436\r\nProcessGuid: {3bd4f97a-200a-6349-ca01-000000009600}\r\nProcessId: 2212\r\nImage: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: C:\\Windows\\System32\\wbem\\WMIC.exe\r\nCurrentDirectory: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\\r\nUser: EC2AMAZ-N9OLJ1L\\qa\r\nLogonGuid: {3bd4f97a-1e51-6349-6e29-040000000000}\r\nLogonId: 0x4296E\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=6E7CA64D4777CACA3B0CF45325346DB7\r\nParentProcessGuid: {3bd4f97a-200a-6349-c901-000000009600}\r\nParentProcessId: 6016\r\nParentImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nParentCommandLine: \"C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\" -eid 1\r\nParentUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator ProcessCreate Simulation for WMIC.exe","utcTime":"2022-10-14 08:38:34.436","processGuid":"{3bd4f97a-200a-6349-ca01-000000009600}","processId":"2212","image":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"WMI Commandline Utility","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"wmic.exe","commandLine":"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe","currentDirectory":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\","user":"EC2AMAZ-N9OLJ1L\\\\qa","logonGuid":"{3bd4f97a-1e51-6349-6e29-040000000000}","logonId":"0x4296e","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=6E7CA64D4777CACA3B0CF45325346DB7","parentProcessGuid":"{3bd4f97a-200a-6349-c901-000000009600}","parentProcessId":"6016","parentImage":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","parentCommandLine":"\\\"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe\\\" -eid 1","parentUser":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Sysmon Alert ``` **Phase 3: Completed filtering (rules). id: '61654' level: '0' description: 'Sysmon - Event 26: File deleted' groups: '['windows', 'sysmon', 'sysmon_event_26']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 255 :yellow_circle: [Regarding Sysmon documentation](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon), 255 ID stand for Sysmon error. These error events can happen if the system is under heavy load and certain tasked could not be performed or a bug exists in the Sysmon service. However, this id is not included in the ruleset
Event generation command Sysmon error message could not be replicated manually. A custom event is proposed
Sysmon event Consider this custom event with an eventID with `255` (Sysmon error) ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"255","version":"5","level":"4","task":"22","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-14T10:19:22.7373425Z","eventRecordID":"271","processID":"2624","threadID":"3544","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-10-14 10:19:19.391\r\nProcessGuid: {3bd4f97a-3636-6349-6500-000000009800}\r\nProcessId: 2820\r\nQueryName: ssm.us-east-1.amazonaws.com\r\nQueryStatus: 0\r\nQueryResults: ::ffff:52.119.198.91;\r\nImage: C:\\Program Files\\Amazon\\SSM\\ssm-agent-worker.exe\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2022-10-14 10:19:19.391","processGuid":"{3bd4f97a-3636-6349-6500-000000009800}","processId":"2820","queryName":"ssm.us-east-1.amazonaws.com","queryStatus":"0","queryResults":"::ffff:52.119.198.91;","image":"C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-agent-worker.exe","user":"NT AUTHORITY\\\\SYSTEM"}}} ```
Sysmon Alert There is no custom alert for Sysmon error event. ``` **Phase 3: Completed filtering (rules). id: '61600' level: '0' description: 'Windows Sysmon informational event' groups: '['windows', 'sysmon']' firedtimes: '1' mail: 'False' ```
runtests :green_circle:
Everything works as expected. Runtests output: [runtest.zip](https://github.com/wazuh/wazuh-qa/files/9787395/runtest_output.zip)
Sysmon integration documentation :yellow_circle:
Currently, there are two blogs about Sysmon integration https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/ and https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/. Regarding these modifications in the ruleset, minor suggestions are proposed for [Learn to detect threats on Windows by monitoring Sysmon events](https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/) blog: - Update sysconfig.xml schema, including new Sysmon events IDs - Enrich sysconfig.xml, increasing the use cases presented in the blog, and explaining how to customize sysconfig.xml for each use case.
Rebits commented 2 years ago

13/10/2022

Rebits commented 2 years ago

14/10/2022

fabamatic commented 2 years ago

Fixed Sysmon rules for events 2 and 9. Added rule for event 255

jmv74211 commented 2 years ago

QA review

All of this will be discussed with the development team, and approved or not based on these findings.

Rebits commented 2 years ago

Testing after requested changes

Results :green_circle:

Runtest :green_circle: **Runtest output**: [runtest.zip](https://github.com/wazuh/wazuh-qa/files/9801189/runtest.zip)
Sysmon - Event 2 :green_circle:
Event generation command ``` > .\SysmonSimulator.exe -eid 2 ```
Event ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"2","version":"5","level":"4","task":"2","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-17T13:52:24.0113305Z","eventRecordID":"4","processID":"1380","threadID":"3336","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"File creation time changed:\r\nRuleName: SysmonSimulator FileCreateTime modification Simulation for SysmonCreateFileTime.txt\r\nUtcTime: 2022-10-17 13:52:24.005\r\nProcessGuid: {3bd4f97a-5e18-634d-ca02-000000009500}\r\nProcessId: 6300\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nTargetFilename: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonCreateFileTime.txt\r\nCreationUtcTime: 2022-01-03 16:54:25.272\r\nPreviousCreationUtcTime: 2022-01-03 16:54:25.272\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"ruleName":"SysmonSimulator FileCreateTime modification Simulation for SysmonCreateFileTime.txt","utcTime":"2022-10-17 13:52:24.005","processGuid":"{3bd4f97a-5e18-634d-ca02-000000009500}","processId":"6300","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","targetFilename":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonCreateFileTime.txt","creationUtcTime":"2022-01-03 16:54:25.272","previousCreationUtcTime":"2022-01-03 16:54:25.272","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Alert ``` **Phase 3: Completed filtering (rules). id: '61604' level: '0' description: 'Sysmon - Event 2: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe changed file C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonCreateFileTime.txt creation time ' groups: '['windows', 'sysmon', 'sysmon_event2']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 9 :green_circle:
Event generation command ``` > .\SysmonSimulator.exe -eid 9 ```
Event ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"9","version":"2","level":"4","task":"9","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-17T13:57:15.4143579Z","eventRecordID":"6","processID":"1380","threadID":"3336","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2022-10-17 13:57:15.408\r\nProcessGuid: {3bd4f97a-5f3b-634d-2903-000000009500}\r\nProcessId: 4192\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nDevice: \\Device\\HarddiskVolume1\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-17 13:57:15.408","processGuid":"{3bd4f97a-5f3b-634d-2903-000000009500}","processId":"4192","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","device":"\\\\Device\\\\HarddiskVolume1","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Alert ``` **Phase 3: Completed filtering (rules). id: '61611' level: '0' description: 'Sysmon - Event 9: RawAccessRead by C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe' groups: '['windows', 'sysmon', 'sysmon_event9']' firedtimes: '1' mail: 'False' ```
Sysmon - Event 255 :green_circle:
Event generation command Not possible to replicate. Using a custom event instead.
Event ``` {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"255","version":"2","level":"4","task":"9","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-10-17T13:57:15.4143579Z","eventRecordID":"6","processID":"1380","threadID":"3336","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-N9OLJ1L","severityValue":"INFORMATION","message":"\"RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2022-10-17 13:57:15.408\r\nProcessGuid: {3bd4f97a-5f3b-634d-2903-000000009500}\r\nProcessId: 4192\r\nImage: C:\\Users\\qa\\Downloads\\SysmonSimulator-Latest.exe\\SysmonSimulator.exe\r\nDevice: \\Device\\HarddiskVolume1\r\nUser: EC2AMAZ-N9OLJ1L\\qa\""},"eventdata":{"utcTime":"2022-10-17 13:57:15.408","processGuid":"{3bd4f97a-5f3b-634d-2903-000000009500}","processId":"4192","image":"C:\\\\Users\\\\qa\\\\Downloads\\\\SysmonSimulator-Latest.exe\\\\SysmonSimulator.exe","device":"\\\\Device\\\\HarddiskVolume1","user":"EC2AMAZ-N9OLJ1L\\\\qa"}}} ```
Alert ``` **Phase 3: Completed filtering (rules). id: '61655' level: '0' description: 'Sysmon - Event 255: Sysmon error' groups: '['windows', 'sysmon', 'sysmon_event_255']' firedtimes: '1' mail: 'False' ```

Conclusion :green_circle:

All issues have been fixed satisfactorily. It is suggested to improve "Learn to detect threats on Windows by monitoring Sysmon events":

jmv74211 commented 2 years ago

Closing conclusion 👍🏼
🟢 Solved
🔵 Proposed to be fixed in future versions or developments

After talking with the development team, the testing has been approved taking into account the following considerations proposed in the QA review:

(1) Symon event 2 rule for creation time changing use win.eventdata.sourceImage instead of win.eventdata.image, making the description incomplete (cc @wazuh/threat-intel). 🟢

The development team has fixed it in https://github.com/wazuh/wazuh/pull/13594/commits/8c05ff464bd35bd7936a49c8385b85d0ee40b322. See https://github.com/wazuh/wazuh-qa/issues/3458#issuecomment-1280636442

(2) Sysmon event 9 for RawAccessRead use win.eventdata.sourceImage instead of win.eventdata.image, making the description incomplete (cc @wazuh/threat-intel). 🟢

The development team has fixed it in https://github.com/wazuh/wazuh/pull/13594/commits/8c05ff464bd35bd7936a49c8385b85d0ee40b322. See https://github.com/wazuh/wazuh-qa/issues/3458#issuecomment-1280636442

(3) Sysmon error event (255) is not included in the ruleset(cc @wazuh/threat-intel). 🟢

The development team has fixed it in https://github.com/wazuh/wazuh/pull/13594/commits/8c05ff464bd35bd7936a49c8385b85d0ee40b322. See https://github.com/wazuh/wazuh-qa/issues/3458#issuecomment-1280636442

(4) Improve blog documentation "Learn to detect threats on Windows by monitoring Sysmon events" (cc @wazuh/content) 🔵

The folling issue has been opened to report it wazuh-documentation#5672.