Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed sysmon (ID 3) decoders #127

Merged
merged 2 commits into from
May 14, 2018
Merged

Fixed sysmon (ID 3) decoders #127

merged 2 commits into from
May 14, 2018

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Apr 30, 2018

As refered in here: https://groups.google.com/forum/#!topic/wazuh/xt4HUf8gu_E

Sysmon decoders were not extracting Source Port Name or Destination Port Name fields.

Decoder has been fixed to extract these fields:


2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName: whatever  DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https


**Phase 1: Completed pre-decoding.
       full event: '2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName: whatever  DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https'
       timestamp: '2015 Nov 19 20:33:25'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName: whatever  DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https'

**Phase 2: Completed decoding.
       decoder: 'windows'
       id: '3'
       sysmon.processGuid: '{0B364D7C-23F6-564E-0000-00100D5A1100}'
       sysmon.processId: '2028'
       sysmon.image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
       srcuser: 'WIN-K3UD9R5LCEL\Administrator'
       proto: 'tcp'
       sysmon.initiated: 'true'
       sysmon.sourceIsIpv6: 'false'
       srcip: '192.168.2.201'
       sysmon.sourceHostname: 'WIN-K3UD9R5LCEL.LinDomain'
       srcport: '49192'
       sysmon.srcPortName: 'whatever'
       sysmon.destinationIsIpv6: 'false'
       dstip: 'XXX.58.XXX.206'
       sysmon.destinationHostname: 'webdest'
       dstport: '443'
       sysmon.dstPortName: 'https'

**Phase 3: Completed filtering (rules).
       Rule id: '185001'
       Level: '0'
       Description: 'Sysmon - Event 3'

And, with Source Port Name field empty:

2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName:   DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https


**Phase 1: Completed pre-decoding.
       full event: '2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName:   DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https'
       timestamp: '2015 Nov 19 20:33:25'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected:  UtcTime: 2015-11-19 19:33:23.824  ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100}  ProcessId: 2028  Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe  User: WIN-K3UD9R5LCEL\Administrator  Protocol: tcp  Initiated: true  SourceIsIpv6: false  SourceIp: 192.168.2.201  SourceHostname: WIN-K3UD9R5LCEL.LinDomain  SourcePort: 49192  SourcePortName:   DestinationIsIpv6: false  DestinationIp: XXX.58.XXX.206  DestinationHostname: webdest  DestinationPort: 443  DestinationPortName: https'

**Phase 2: Completed decoding.
       decoder: 'windows'
       id: '3'
       sysmon.processGuid: '{0B364D7C-23F6-564E-0000-00100D5A1100}'
       sysmon.processId: '2028'
       sysmon.image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
       srcuser: 'WIN-K3UD9R5LCEL\Administrator'
       proto: 'tcp'
       sysmon.initiated: 'true'
       sysmon.sourceIsIpv6: 'false'
       srcip: '192.168.2.201'
       sysmon.sourceHostname: 'WIN-K3UD9R5LCEL.LinDomain'
       srcport: '49192'
       sysmon.srcPortName: ''
       sysmon.destinationIsIpv6: 'false'
       dstip: 'XXX.58.XXX.206'
       sysmon.destinationHostname: 'webdest'
       dstport: '443'
       sysmon.dstPortName: 'https'

**Phase 3: Completed filtering (rules).
       Rule id: '185001'
       Level: '0'
       Description: 'Sysmon - Event 3'

@frgv frgv requested a review from jesuslinares April 30, 2018 09:50
@jesuslinares jesuslinares changed the base branch from master to 3.2 May 14, 2018 12:46
@jesuslinares jesuslinares changed the base branch from 3.2 to master May 14, 2018 12:47
@jesuslinares jesuslinares merged commit 97f5311 into master May 14, 2018
@jesuslinares jesuslinares deleted the fix_sysmon_decoder branch May 14, 2018 12:47
@jesuslinares
Copy link
Contributor

Thanks @frgv!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frgv @jesuslinares