X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fsysmon_rules.xml;fp=etc%2Frules%2Fsysmon_rules.xml;h=32714984b9611f615ce79a39bc6b29e46f94758e;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/etc/rules/sysmon_rules.xml b/etc/rules/sysmon_rules.xml
new file mode 100644
index 0000000..3271498
--- /dev/null
+++ b/etc/rules/sysmon_rules.xml
@@ -0,0 +1,173 @@
+<!--Maintained by Josh Brower, Josh@DefensiveDepth.com -->
+<!--Licensed under the MIT License: http://opensource.org/licenses/MIT-->
+
+<!-- Ruleset to detect Windows Process Anomalies - 
+  -  Uses Sysmon Event ID 1 logs & associated decoder.
+  -  Currently only looks at Parent Image Anomalies.
+  -  Windows Process Attributes documentation here: http://defensivedepth.com/windows-processes
+  -
+  -  OSSEC to Sysmon (Event ID 1) Fields Mapping:
+  -  user = User
+  -  status = Image
+  -  url = Hash
+  -  extra_data = ParentImage
+  -->
+  
+<group name="sysmon_process-anomalies">
+  
+ <rule id="18501" level="12">
+  <if_sid>18100</if_sid>
+  <status>svchost.exe</status>
+  <description>Sysmon - Suspicious Process - svchost.exe</description>
+ </rule>
+
+ <rule id="18502" level="0">
+  <if_sid>18501</if_sid>
+  <extra_data>\services.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - svchost.exe</description>
+ </rule>
+
+
+<rule id="18511" level="12">
+  <if_sid>18100</if_sid>
+  <status>lsm.exe</status>
+  <description>Sysmon - Suspicious Process - lsm.exe</description>
+</rule>
+
+<rule id="18512" level="0">
+  <if_sid>18511</if_sid>
+  <extra_data>wininit.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - lsm.exe</description>
+</rule>
+
+<rule id="18513" level="12">
+  <if_sid>18100</if_sid>
+  <extra_data>lsm.exe</extra_data>
+  <description>Sysmon - Suspicious Process - lsm.exe is a Parent Image</description>
+</rule>
+
+
+<rule id="18521" level="12">
+  <if_sid>18100</if_sid>
+  <status>csrss.exe</status>
+  <description>Sysmon - Suspicious Process - csrss.exe</description>
+</rule>
+
+<rule id="18522" level="0">
+  <if_sid>18521</if_sid>
+  <extra_data>smss.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - csrss.exe</description>
+</rule>
+
+
+<rule id="18531" level="12">
+  <if_sid>18100</if_sid>
+  <status>lsass.exe</status>
+  <description>Sysmon - Suspicious Process - lsass</description>
+</rule>
+
+<rule id="18532" level="0">
+  <if_sid>18531</if_sid>
+  <extra_data>wininit.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - lsass.exe</description>
+</rule>
+
+<rule id="18533" level="12">
+  <if_sid>18100</if_sid>
+  <extra_data>lsass.exe</extra_data>
+  <description>Sysmon - Suspicious Process - lsass.exe is a Parent Image</description>
+</rule>
+
+
+<rule id="18541" level="12">
+  <if_sid>18100</if_sid>
+  <status>winlogon.exe</status>
+  <description>Sysmon - Suspicious Process - winlogon.exe</description>
+</rule>
+
+<rule id="18542" level="0">
+  <if_sid>18541</if_sid>
+  <extra_data>smss.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - winlogon.exe</description>
+</rule>
+
+
+<rule id="18551" level="12">
+  <if_sid>18100</if_sid>
+  <status>wininit.exe</status>
+  <description>Sysmon - Suspicious Process - wininit</description>
+</rule>
+
+<rule id="18552" level="0">
+  <if_sid>18551</if_sid>
+  <extra_data>smss.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - wininit.exe</description>
+</rule>
+
+
+<rule id="18561" level="12">
+  <if_sid>18100</if_sid>
+  <status>smss.exe</status>
+  <description>Sysmon - Suspicious Process - smss.exe</description>
+</rule>
+
+<rule id="18562" level="0">
+  <if_sid>18561</if_sid>
+  <extra_data>system</extra_data>
+  <description>Sysmon - Legitimate Parent Image - smss.exe</description>
+</rule>
+
+
+<rule id="18571" level="12">
+  <if_sid>18100</if_sid>
+  <status>taskhost.exe</status>
+  <description>Sysmon - Suspicious Process - taskhost.exe</description>
+</rule>
+
+<rule id="18572" level="0">
+  <if_sid>18571</if_sid>
+  <extra_data>services.exe|svchost.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - taskhost.exe</description>
+</rule>
+
+
+<rule id="18581" level="12">
+  <if_sid>18100</if_sid>
+  <status>/services.exe</status>
+  <description>Sysmon - Suspicious Process - services.exe</description>
+</rule>
+
+<rule id="18582" level="0">
+  <if_sid>18581</if_sid>
+  <extra_data>wininit.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - services.exe</description>
+</rule>
+
+
+<rule id="18591" level="12">
+  <if_sid>18100</if_sid>
+  <status>dllhost.exe</status>
+  <description>Sysmon - Suspicious Process - dllhost.exe</description>
+</rule>
+
+<rule id="18592" level="0">
+  <if_sid>18591</if_sid>
+  <extra_data>svchost.exe|services.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - dllhost.exe</description>
+</rule>
+
+
+<rule id="18601" level="12">
+  <if_sid>18100</if_sid>
+  <status>\explorer.exe</status>
+  <description>Sysmon - Suspicious Process - explorer.exe</description>
+</rule>
+
+<rule id="18602" level="0">
+  <if_sid>18601</if_sid>
+  <extra_data>userinit.exe</extra_data>
+  <description>Sysmon - Legitimate Parent Image - explorer.exe</description>
+</rule>
+</group> <!-- sysmon_process-anomalies -->
+
+<!-- EOF -->