Permalink
Browse files

Sysmon logging has changed. We now call program: *Sysmon*;

  • Loading branch information...
Champ Clark III
Champ Clark III committed Jan 26, 2018
1 parent a84b30b commit 93b186e9c7ee1a4339c90317718ba6e383cc8058
Showing with 10 additions and 12 deletions.
  1. +10 −12 windows-sysmon.rules
@@ -29,51 +29,49 @@
# Created by Champ Clark 04/08/2016. You'll need PSEXEC_MD5 defined in your sagan.conf!
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; content: " 1: "; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002799; sid:5002799; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; content: " 1: "; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002799; sid:5002799; rev:3;)
# Locky Ransomware
# Champ Clark 04/08/2016
# Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\Windows\System32\notepad.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\frankw\Desktop\_HELP_instructions.txt CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:4;)
# vssadmin.exe is sometimes used by malware to delete shadow volume copied. Below is Locky:
# Champ Clark 04/08/2016
# 1: Process Create: UtcTime: 2016-04-08 05:28:44.314 ProcessGuid: {E67F94C7-418C-5707-0000-00103EB31C00} ProcessId: 2404 Image: C:\Windows\System32\vssadmin.exe CommandLine: vssadmin.exe Delete Shadows /All /Quiet CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=09FAFEB1B8404124B33C44440BE7E3FDB6105F8A,MD5=E23DD973E1444684EB36365DEFF1FC74,SHA256=4DE7FA20E3224382D8C4A81017E5BDD4673AFBEF9C0F017E203D7B78977FBF8C ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware"; content: " 1: "; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002803; sid:5002803; rev:2;)
# NEW RULES:
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware"; content: " 1: "; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; classtype: trojan-activity; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002803; sid:5002803; rev:3;)
# daemon|notice|notice|1d|2016-04-08|05:52:28|Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:52:28.315 ProcessGuid: {E67F94C7-471C-5707-0000-0010FB0B1A00} ProcessId: 688 Image: C:\Windows\System32\wbem\WMIC.exe CommandLine: "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9 ParentProcessGuid: {E67F94C7-471A-5707-0000-0010DAF41900} ParentProcessId: 2796 ParentImage: C:\Windows\jacjfunqpvji.exe ParentCommandLine: C:\Windows\jacjfunqpvji.exe
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; content: " 1: "; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002810; sid:5002810; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; content: " 1: "; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002810; sid:5002810; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.199 ProcessGuid: {E67F94C7-7D82-5708-0000-001042E21B00} ProcessId: 2628 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF4 1A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002811; sid:5002811; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002811; sid:5002811; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.870 ProcessGuid: {E67F94C7-7D82-5708-0000-0010C8731C00} ProcessId: 768 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002812; sid:5002812; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002812; sid:5002812; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:56:51|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:51.432 ProcessGuid: {E67F94C7-7D83-5708-0000-001007D91C00} ProcessId: 2256 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get Version /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; content: " 1: "; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002813; sid:5002813; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; content: " 1: "; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002813; sid:5002813; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.213 ProcessGuid: {E67F94C7-7DBD-5708-0000-001099CD0600} ProcessId: 1420 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsh1DDF.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020CFB40100} LogonId: 0x1b4cf TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB4-5708-0000-00100B100600} ParentProcessId: 2628 ParentImage: C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002814; sid:5002814; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002814; sid:5002814; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.068 ProcessGuid: {E67F94C7-7DBD-5708-0000-0010AF1D0700} ProcessId: 668 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get Name /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsj3A92.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020DCBC0100} LogonId: 0x1bcdc TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB3-5708-0000-0010143A0600} ParentProcessId: 592 ParentImage: C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe"
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002815; sid:5002815; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002815; sid:5002815; rev:3;)
# daemon|notice|notice|1d|2016-04-09|03:55:09|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:55:09.240 ProcessGuid: {E67F94C7-7D1D-5708-0000-001041E40700} ProcessId: 1556 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: wmic computersystem get model /format:list CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32FD-5707-0000-00203DB30100} LogonId: 0x1b33d TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D1C-5708-0000-0010CDC80700} ParentProcessId: 2936 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; content: " 1: "; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002816; sid:5002816; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; content: " 1: "; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002816; sid:5002816; rev:3;)

0 comments on commit 93b186e

Please sign in to comment.