New Sysmon OSSEC Decoders….

Jesús Linares / Wazuh have recently released OSSEC decoders for all current (v3.11) Sysmon EventIDs. Up until this point, I had been maintaining primarily just EventID 1 (Process Creation), but now we have the added benefits of parsed logs for the following Sysmon Events:

ID2: A process changed a file creation time

ID3: Network Connections

ID4: Sysmon service state changed

ID5: Process Terminated

ID6: Driver Loaded

ID7: Image Loaded

ID8: CreateRemoteThread

This is a great addition, as we can now start writing rules against thread injection events, unsigned drivers being loaded, etc.

You can find the decoders on Github: https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml

-Josh

 

 

Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s