Windows Defender Decoder ?

Rob B

unread,

Apr 22, 2016, 4:16:22 PM4/22/16

to ossec-list

Hello All,

Does anyone have a decoder for Windows Defender floating around out there??

Im having a heck of a time... Here is the event channel event example if anyone is curious or can help: (Win10 box)

Log Name: Microsoft-Windows-Windows Defender/Operational

Source: Microsoft-Windows-Windows Defender

Date: 4/22/2016 4:05:17 PM

Event ID: 1116

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Computer: VICTIM0

Description:

Windows Defender has detected malware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0

Name: Trojan:Win32/Bagsu!rfn

ID: 2147694406

Severity: Severe

Category: Trojan

Path: containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)

Detection Origin: Network share

Detection Type: Concrete

Detection Source: Real-Time Protection

User: frog

Process Name: C:\Windows\explorer.exe

Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: 115.8.0.0

Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0

Event Xml:

<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>

<Computer>VICTIM0</Computer>

</System>

<Data Name="Detection ID">{CAADD684-36C9-444B-8A6D-8CE537A93E40}</Data>

</Data>

</Data>

<Data Name="Threat Name">Trojan:Win32/Bagsu!rfn</Data>

<Data Name="Severity Name">Severe</Data>

<Data Name="Category Name">Trojan</Data>

<Data Name="FWLink">http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0</Data>

</Data>

<Data Name="Process Name">C:\Windows\explorer.exe</Data>

</Data>

<Data Name="Path">containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)</Data>

</Data>

<Data Name="Error Description">The operation completed successfully. </Data>

</Data>

<Data Name="Additional Actions String">No additional actions required</Data>

</Data>

</Data>

</EventData>

</Event>

Thanks!, Rob

dan (ddp)

unread,

Apr 25, 2016, 9:35:20 AM4/25/16

to ossec...@googlegroups.com

On Fri, Apr 22, 2016 at 4:16 PM, Rob B <rba...@netorian.com> wrote:
> Hello All,
>
> Does anyone have a decoder for Windows Defender floating around out
> there??
>
> Im having a heck of a time... Here is the event channel event example if
> anyone is curious or can help: (Win10 box)
>

The easiest way to provide log samples that can be turned into
decoders and rules is to turn on the logall option, and grab the logs
from /var/ossec/logs/archives/archives.log on the manager.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Rob B

unread,

Apr 25, 2016, 10:13:13 AM4/25/16

to ossec-list

dang good idea! thanks dan!

joe.co...@wazuh.com

unread,

May 2, 2016, 3:22:30 PM5/2/16

to ossec-list

Rob,

Just a tip

If you have virtual box or VMware, throw a Manager on their and use it to test your rules and decoders. You can just paste the log into ossec-logtest. It will sure save you a lot of heartache when troubleshooting.

Hope that helps

Brent Morris

unread,

May 16, 2016, 5:22:08 PM5/16/16

to ossec-list

Rob - can you post your OSSEC version of the log? I can check my rules. These are a culmination of gleaned rules that I updated some time back with new event IDs. Yours is covered in there.... but I would like to test it against a valid OSSEC log. So if you can post it from the OSSEC logs, that'd be great.

Here they are..

</group>

<category>windows</category>

<if_sid>18101,18102,18103</if_sid>

<extra_data>^Microsoft Antimalware</extra_data>

<description>Grouping of Microsoft Security Essentials rules.</description>

</rule>

<if_sid>720001</if_sid>

<group>virus,</group>

<description>Microsoft Security Essentials - Virus detected, but unable to remove.</description>

</rule>

<if_sid>720001</if_sid>

<group>virus,</group>

<description>Microsoft Security Essentials - Virus detected and properly removed.</description>

</rule>

<if_sid>720001</if_sid>

<group>virus,</group>

<description>Microsoft Security Essentials - Virus detected.</description>

</rule>

<if_sid>720001</if_sid>

<group>virus,</group>

<description>Microsoft Security Essentials - Suspicious activity detected.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Configuration changed.</description>

<group>policy_changed,</group>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Service failed.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Real time protection failed.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Cannot use Dynamic Signature Service.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Loading definitions failed. Using last good set.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Engine update failed.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Definitions update failed.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Scan error. Scan has stopped.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Scan stopped before completion.</description>

</rule>

<if_sid>720012</if_sid>

<match>Virus:DOS/EICAR_Test_File</match>

<options>alert_by_email</options>

<description>Microsoft Security Essentials - EICAR test file detected.</description>

</rule>

<if_sid>720011</if_sid>

<match>Virus:DOS/EICAR_Test_File</match>

<options>alert_by_email</options>

<description>Microsoft Security Essentials - EICAR test file removed.</description>

</rule>

<if_sid>720010</if_sid>

<match>Virus:DOS/EICAR_Test_File</match>

<options>alert_by_email</options>

<description>Microsoft Security Essentials - EICAR test file detected, but removal failed.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Signature database updated.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Scan engine updated.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - Scan started or stopped.</description>

</rule>

<if_sid>720001</if_sid>

<description>Microsoft Security Essentials - History cleared.</description>

</rule>

<if_matched_sid>720011</if_matched_sid>

<description>Multiple Microsoft Security Essentials AV warnings detected.</description>

</rule>

<if_matched_sid>720012</if_matched_sid>

<description>Multiple Microsoft Security Essentials AV warnings detected.</description>

</rule>

</group>

Rob B

unread,

May 17, 2016, 11:32:25 AM5/17/16

to ossec-list

Thanks Brent.! Funny enough, that day I figured it out and built a whole bunch very similar to your list. Seems to be working very nicely, as now I find myself leaning to creating some down right creative composites.... (finally)

I've been looking for some reference material on the <extra_data> tag? How is this used properly?

Cheers! Rob

Pedro S

unread,

May 18, 2016, 10:09:14 AM5/18/16

to ossec-list

Hi Rob,

extra_data is another allowed field used by OSSEC decoders to extract information from the event, once it is extracted you can match the field content in order to create a rule.

The content of extra_data depends on the decoder which extracted it, in Windows decoders could be for example: Win source, Parent Image, Protocol, Signature, Start function...

Best regards,

Pedro S.

Rob B

unread,

May 18, 2016, 2:38:16 PM5/18/16

to ossec-list

Nice! Thanks Pedro! I've got it now..

Cheers.

Jesus Linares

unread,

May 19, 2016, 3:25:09 AM5/19/16

to ossec-list

Hi Brent,

Your rules are in OSSEC by default (with other ID, why?) but you added a few new rules.

could you send a PR to OSSEC or Wazuh with your new rules?.

Thanks.

Brent Morris

unread,

May 20, 2016, 2:42:22 PM5/20/16

to ossec-list

Hi Jesus,

Yeah, I think I submitted a pull request into OSSEC some time back on this... If memory serves, the other IDs are because I used the existing MS ID schema for OSSEC. The odd IDs are just because these live in my local_rules.xml in production. Sadly, I haven't had the time to update OSSEC or try any of the new distributions lately.

Ed Davison

unread,

Mar 1, 2017, 6:40:01 PM3/1/17

to ossec-list

It would be great to see the decoder entries that go with these rules ... I know this is an older post but maybe you are still around and can share the decoder and maybe the plugin as well?

dan (ddp)

unread,

Mar 1, 2017, 8:31:58 PM3/1/17

to ossec...@googlegroups.com

On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison <edav...@gmail.com> wrote:
> It would be great to see the decoder entries that go with these rules ... I
> know this is an older post but maybe you are still around and can share the
> decoder and maybe the plugin as well?
>

If you can provide log samples, we can work on decoders. :-)

> On Monday, May 16, 2016 at 4:22:08 PM UTC-5, Brent Morris wrote:
>>
>> Rob - can you post your OSSEC version of the log? I can check my rules.
>> These are a culmination of gleaned rules that I updated some time back with
>> new event IDs. Yours is covered in there.... but I would like to test it
>> against a valid OSSEC log. So if you can post it from the OSSEC logs,
>> that'd be great.
>>
>> Here they are..
>>

Ed Davison

unread,

Mar 3, 2017, 11:12:52 AM3/3/17

to ossec-list

On Wednesday, March 1, 2017 at 7:31:58 PM UTC-6, dan (ddpbsd) wrote:

On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison <edav...@gmail.com> wrote:
> It would be great to see the decoder entries that go with these rules ... I
> know this is an older post but maybe you are still around and can share the
> decoder and maybe the plugin as well?
>

If you can provide log samples, we can work on decoders. :-)

Sure thing. Here are two examples. I can probably extrapolate the other events if I can get these working. It would be great if USERDATA fields could be filled with items like: User, Name, Category, Process Name, Severity, Path.

2017 Mar 03 10:06:20 (TEST2) 10.10.15.x->WinEvtLog 2017 Mar 03 10:06:16 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: TEST2.domain.net: Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part;file:_C:\Users\user\AppData\Local\Temp\U6ZR55qF.com.part;file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->(Zip);file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->eicar.com Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x00000000 Error description: The operation completed successfully. Signature Version: AV: 1.237.484.0, AS: 1.237.484.0, NIS: 116.72.0.0 Engine Version: AM: 1.1.13504.0, NIS: 2.1.12706.0

2017 Mar 03 10:05:54 (TEST2) 10.10.15.x->WinEvtLog 2017 Mar 03 10:05:50 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: WARNING(1116): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: TEST2.domain.net: Windows Defender has detected malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part;file:_C:\Users\user\AppData\Local\Temp\U6ZR55qF.com.part;file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->(Zip);file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->eicar.com Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: DOMAIN\user Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Signature Version: AV: 1.237.484.0, AS: 1.237.484.0, NIS: 116.72.0.0 Engine Version: AM: 1.1.13504.0, NIS: 2.1.12706.0

Reply all

Reply to author

Forward