1 <!--Maintained by Josh Brower, Josh@DefensiveDepth.com -->
2 <!--Licensed under the MIT License: http://opensource.org/licenses/MIT-->
4 <!-- Ruleset to detect Windows Process Anomalies -
5 - Uses Sysmon Event ID 1 logs & associated decoder.
6 - Currently only looks at Parent Image Anomalies.
7 - Windows Process Attributes documentation here: http://defensivedepth.com/windows-processes
9 - OSSEC to Sysmon (Event ID 1) Fields Mapping:
13 - extra_data = ParentImage
16 <group name="sysmon_process-anomalies">
18 <rule id="18501" level="12">
19 <if_sid>18100</if_sid>
20 <status>svchost.exe</status>
21 <description>Sysmon - Suspicious Process - svchost.exe</description>
24 <rule id="18502" level="0">
25 <if_sid>18501</if_sid>
26 <extra_data>\services.exe</extra_data>
27 <description>Sysmon - Legitimate Parent Image - svchost.exe</description>
31 <rule id="18511" level="12">
32 <if_sid>18100</if_sid>
33 <status>lsm.exe</status>
34 <description>Sysmon - Suspicious Process - lsm.exe</description>
37 <rule id="18512" level="0">
38 <if_sid>18511</if_sid>
39 <extra_data>wininit.exe</extra_data>
40 <description>Sysmon - Legitimate Parent Image - lsm.exe</description>
43 <rule id="18513" level="12">
44 <if_sid>18100</if_sid>
45 <extra_data>lsm.exe</extra_data>
46 <description>Sysmon - Suspicious Process - lsm.exe is a Parent Image</description>
50 <rule id="18521" level="12">
51 <if_sid>18100</if_sid>
52 <status>csrss.exe</status>
53 <description>Sysmon - Suspicious Process - csrss.exe</description>
56 <rule id="18522" level="0">
57 <if_sid>18521</if_sid>
58 <extra_data>smss.exe</extra_data>
59 <description>Sysmon - Legitimate Parent Image - csrss.exe</description>
63 <rule id="18531" level="12">
64 <if_sid>18100</if_sid>
65 <status>lsass.exe</status>
66 <description>Sysmon - Suspicious Process - lsass</description>
69 <rule id="18532" level="0">
70 <if_sid>18531</if_sid>
71 <extra_data>wininit.exe</extra_data>
72 <description>Sysmon - Legitimate Parent Image - lsass.exe</description>
75 <rule id="18533" level="12">
76 <if_sid>18100</if_sid>
77 <extra_data>lsass.exe</extra_data>
78 <description>Sysmon - Suspicious Process - lsass.exe is a Parent Image</description>
82 <rule id="18541" level="12">
83 <if_sid>18100</if_sid>
84 <status>winlogon.exe</status>
85 <description>Sysmon - Suspicious Process - winlogon.exe</description>
88 <rule id="18542" level="0">
89 <if_sid>18541</if_sid>
90 <extra_data>smss.exe</extra_data>
91 <description>Sysmon - Legitimate Parent Image - winlogon.exe</description>
95 <rule id="18551" level="12">
96 <if_sid>18100</if_sid>
97 <status>wininit.exe</status>
98 <description>Sysmon - Suspicious Process - wininit</description>
101 <rule id="18552" level="0">
102 <if_sid>18551</if_sid>
103 <extra_data>smss.exe</extra_data>
104 <description>Sysmon - Legitimate Parent Image - wininit.exe</description>
108 <rule id="18561" level="12">
109 <if_sid>18100</if_sid>
110 <status>smss.exe</status>
111 <description>Sysmon - Suspicious Process - smss.exe</description>
114 <rule id="18562" level="0">
115 <if_sid>18561</if_sid>
116 <extra_data>system</extra_data>
117 <description>Sysmon - Legitimate Parent Image - smss.exe</description>
121 <rule id="18571" level="12">
122 <if_sid>18100</if_sid>
123 <status>taskhost.exe</status>
124 <description>Sysmon - Suspicious Process - taskhost.exe</description>
127 <rule id="18572" level="0">
128 <if_sid>18571</if_sid>
129 <extra_data>services.exe|svchost.exe</extra_data>
130 <description>Sysmon - Legitimate Parent Image - taskhost.exe</description>
134 <rule id="18581" level="12">
135 <if_sid>18100</if_sid>
136 <status>/services.exe</status>
137 <description>Sysmon - Suspicious Process - services.exe</description>
140 <rule id="18582" level="0">
141 <if_sid>18581</if_sid>
142 <extra_data>wininit.exe</extra_data>
143 <description>Sysmon - Legitimate Parent Image - services.exe</description>
147 <rule id="18591" level="12">
148 <if_sid>18100</if_sid>
149 <status>dllhost.exe</status>
150 <description>Sysmon - Suspicious Process - dllhost.exe</description>
153 <rule id="18592" level="0">
154 <if_sid>18591</if_sid>
155 <extra_data>svchost.exe|services.exe</extra_data>
156 <description>Sysmon - Legitimate Parent Image - dllhost.exe</description>
160 <rule id="18601" level="12">
161 <if_sid>18100</if_sid>
162 <status>\explorer.exe</status>
163 <description>Sysmon - Suspicious Process - explorer.exe</description>
166 <rule id="18602" level="0">
167 <if_sid>18601</if_sid>
168 <extra_data>userinit.exe</extra_data>
169 <description>Sysmon - Legitimate Parent Image - explorer.exe</description>
171 </group> <!-- sysmon_process-anomalies -->