projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / debian / ossec-hids / usr / share / doc / ossec-hids / contrib / ossec-testing / tests / sysmon.ini
1 [Sysmon EventID#1 - Suspicious svchost process]
2 log 1 pass = 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create:  UtcTime: 12/20/2014 2:29 PM  ProcessGuid: {00000000-87DB-5495-0000-001045F25A00}  ProcessId: 3048  Image: C:\Windows\system32\svchost.exe  CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log  User: WIN-U93G48C7BOP\Administrator  LogonGuid: {00000000-84B8-5494-0000-0020CB330200}  LogonId: 0x233CB  TerminalSessionId: 1  IntegrityLevel: High  HashType: SHA1  Hash: 9FEF303BEDF8430403915951564E0D9888F6F365  ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200}  ParentProcessId: 848  ParentImage: C:\Windows\Explorer.EXE  ParentCommandLine: C:\Windows\Explorer.EXE
3 rule = 18501
4 alert = 12
5 decoder = Sysmon-EventID#1
6
7 [Sysmon EventID#1 - non-Suspicious svchost process]
8 log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create:  UtcTime: 12/20/2014 12:15 PM  ProcessGuid: {00000000-87DB-5495-0000-001045F25A00}  ProcessId: 3048  Image: C:\Windows\system32\svchost.exe  CommandLine: "C:\windows\system32\svchost.exe -k defragsvc"  User: NT AUTHORITY\SYSTEM  LogonGuid: {00000000-84B8-5494-0000-0020CB330200}  LogonId: 0x233CB  TerminalSessionId: 1  IntegrityLevel: High  HashType: SHA1  Hash: 9FEF303BEDF8430403915951564E0D9888F6F365  ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200}  ParentProcessId: 848  ParentImage: C:\Windows\System32\services.exe  ParentCommandLine: C:\Windows\System32\services.exe
9 rule = 18502
10 alert = 0
11 decoder = Sysmon-EventID#1
12
13 [Windows Event]
14 2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create:      UtcTime: 3/30/2015 10:47:04.494 PM      ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06}      ProcessId: 4388      Image: C:\WINDOWS\system32\cmd.exe      CommandLine: "C:\windows\system32\cmd.exe"       User: SYSTEM-NAME\UserName      LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906}      LogonId: 0x6192cf6      TerminalSessionId: 3      IntegrityLevel: no level      HashType: SHA1      Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D      ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906}      ParentProcessId: 1008      ParentImage: C:\WINDOWS\explorer.exe      ParentCommandLine: C:\windows\Explorer.EXE
15 rule = 18101
16 alert = 0
17 decoder = Sysmon-EventID#1
18
ossec-hids