Split sysmon 11 decoder

M Jones

unread,

Jan 22, 2022, 7:00:58 AM1/22/22

to Wazuh mailing list

HI,

Im trying to split the sysmon decoder(11) into more detailed field for the rules to see. So im currently picking up the user downloading files but i have created a CDB file in the below format to look at the attachment and check if it classed as malicious or not. However this doesn't work as the targetfilename is not filtered enough so i was thinking of creating a decoder to split it up even to get the folder, filename and filetype. The regex i have works after testing but i cant seem to pull it all together. Is there was to user sysmon11 decoder as a parent then create more fields from the targetfilename?

Regex - Has 3 groups - ^(.*[\\\/])([^.]+)(\.\D*)\s which works against this -

C:\Users\user1\Downloads\Test.zip

Decoder that i tried to replace the current one but did work due to errors even after copy the 0380 decoders to my local area.

<decoder name="Sysmon-EventID#11">
<parent>windows</parent>
<type>windows</type>
<regex offset="after_regex">File created: (\.*)\s+UtcTime: (\.*)\s+ProcessGuid: (\.*)\s+ProcessId: (\.*)\s+Image: (\.*)\s+TargetFilename: (.*[\\\/])+([^.]+)+(\.\D*)\s+CreationUtcTime: (\.*)</regex>
<order>sysmon.filecreated, sysmon.utctime, sysmon.processguid, sysmon.processid, sysmon.image, sysmon.targetfiledirectory, sysmon.filename, sysmon.filetype, sysmon.creationutctime </order>
</decoder>

cdb example -

.ps1:Block

Any help would be great thanks,

Manuel Camona Perez

unread,

Jan 24, 2022, 5:12:04 AM1/24/22

to Wazuh mailing list

Hi,

Your regex is not working properly. A syntax error is raised if you try to use it.

The regexes used in Wazuh have known syntaxes but with limitations that can be seen here.

I suggest that you use the wazuh-regex tool to test your regexes.
As you can see in the following wazuh-regex output, your regex is giving a compilation error:

# /var/ossec/bin/wazuh-regex '(.*[\\\/])+([^.]+)+(\.\D*)'
Pattern '(.*[\\\/])+([^.]+)+(\.\D*)' does not compile with OSRegex_Compile

First of all, note that / does not need to be escaped. With that change, the error disappears. Also note that [] is not supported here, if you use them, you will match the characters.

Now if you paste the string representing the filename and press enter, you will see nothing as there are no matches.

I will give you a regex that you can use to parse the path, file name, and file extension. This regex does not match Linux paths. I think it is not necessary since this regex is used for Windows Logs. In case you want to match Linux logs, you will need to use | and another regex.

\.*\\+\w+.\w+

# /var/ossec/bin/wazuh-regex '\.*\\+\w+.\w+'
C:\Windows\System32\drivers\malware.txt
+OSRegex_Execute: C:\Windows\System32\drivers\malware.txt
+OS_Regex : C:\Windows\System32\drivers\malware.txt
wrong_path.txt

When you use this regex in the decoder, the log will not be decoded due to a complexity problem. A solution could be dividing the decoder in 3 decoders so you have:

<decoder name="Sysmon-EventID#11">
<parent>windows</parent>
<type>windows</type>

<regex offset="after_regex">File created: (\.*)\s+UtcTime: (\.*)\s+ProcessGuid: (\.*)\s+ProcessId: (\.*)\s+Image: (\.*)\s+</regex>
<order>sysmon.filecreated, sysmon.utctime, sysmon.processguid, sysmon.processid, sysmon.image</order>
</decoder>

<decoder name="Sysmon-EventID#11">
<parent>windows</parent>
<type>windows</type>

<regex>TargetFilename: (\.*)\\(\w+).(\w+)</regex>
<order>sysmon.targetfiledirectory, sysmon.filename, sysmon.filetype</order>
</decoder>

<decoder name="Sysmon-EventID#11">
<parent>windows</parent>
<type>windows</type>

<regex>CreationUtcTime: (\.*)</regex>
<order>sysmon.creationutctime</order>
</decoder>

Wazuh-logtest output:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line

2017 Mar 30 15:09:02 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(11): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-KND6QGDH48O: File created: UtcTime: 2017-03-30 15:09:02.934 ProcessGuid: {FE5A418C-1C6B-58DD-0000-001023A40B00} ProcessId: 3064 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\System32\drivers\malware.txt CreationUtcTime: 2017-03-30 15:09:02.934

**Phase 1: Completed pre-decoding.
full event: '2017 Mar 30 15:09:02 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(11): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-KND6QGDH48O: File created: UtcTime: 2017-03-30 15:09:02.934 ProcessGuid: {FE5A418C-1C6B-58DD-0000-001023A40B00} ProcessId: 3064 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\System32\drivers\malware.txt CreationUtcTime: 2017-03-30 15:09:02.934'
timestamp: '2017 Mar 30 15:09:02'
program_name: 'WinEvtLog'

**Phase 2: Completed decoding.
name: 'windows'
parent: 'windows'
id: '11'
sysmon.creationutctime: '2017-03-30 15:09:02.934'
sysmon.filename: 'malware'
sysmon.filetype: 'txt'
sysmon.image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
sysmon.processguid: '{FE5A418C-1C6B-58DD-0000-001023A40B00}'
sysmon.processid: '3064'
sysmon.targetfiledirectory: 'C:\Windows\System32\drivers'
sysmon.utctime: '2017-03-30 15:09:02.934'

Apart from this, check that you have excluded the original 0380 decoder file from the Wazuh loading list. To do this, use the tag <decoder_exclude> in the ossec.conf file. Thus, the specified decoder will not be loaded from the default decoder folder, and the decoder file saved in the user folder will be loaded instead.

This is part of the changing an existing decoder process.

Restart the manager after this step and try again.

Let me know if you have more problems!

M Jones

unread,

Jan 24, 2022, 4:51:39 PM1/24/22

to Wazuh mailing list

Hi Manuel,

Thanks for the above it great,

Its works for the example log but not the ones generated by sysmon. Its still using the old fields but I'm not sure if eventchannel decoder is taking over?

This is just a random sysmon log, does that look right to you?

2022 Jan 24 21:36:11 (user-Surface) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-01-24T21:36:11.6627843Z","eventRecordID":"32354","processID":"5188","threadID":"8108","channel":"Microsoft-Windows-Sysmon/Operational","computer":"user-Surface.domain.local","severityValue":"INFORMATION","message":Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2022-01-24 21:36:13.309\r\nProcessGuid: {d754d8c4-6cd3-61ee-c901-000000004900}\r\nProcessId: 12652\r\nImage: C:\\Users\\user\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\r\nUser: user\\user\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.1.5\r\nSourceHostname: user-Surface.domain.local\r\nSourcePort: 61939\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 8.8.8.8\r\nDestinationHostname: -\r\nDestinationPort: 443\r\nDestinationPortName: https\""},"eventdata":{"ruleName":"Usermode","utcTime":"2022-01-24 21:36:13.309","processGuid":"{d754d8c4-6cd3-61ee-c901-000000004900}","processId":"12652","image":"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe","user":"user\\\\user","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.1.","sourceHostname":"user-Surface.domain.local","sourcePort":"61939","destinationIsIpv6":"false","destinationIp":"8.8.8.8","destinationPort":"443","destinationPortName":"https"}}}

In my old rules i setup it uses the eventchannel decoder and doesnt use the ones setup. Im not sure if the problem is to do with he log channel settings. Ive also attached the log from event viewer.

This is my log -

Log Name: Microsoft-Windows-Sysmon/Operational

Source: Microsoft-Windows-Sysmon

Date: 24/01/2022 21:31:17

Event ID: 15

Task Category: File stream created (rule: FileCreateStreamHash)

Level: Information

Keywords:

User: SYSTEM

Computer: User-Surface.domain.local

Description:

File stream created:

RuleName: -

UtcTime: 2022-01-24 21:31:17.143

ProcessGuid: {d754d8c4-1aa4-61ef-e04b-000000004900}

ProcessId: 12172

Image: C:\Program Files\Google\Chrome\Application\chrome.exe

TargetFilename: C:\Users\user\Downloads\2022\Test (8).ps1

CreationUtcTime: 2022-01-24 21:31:16.192

Hash: MD5=616FF391A0912B09B787100AE33900EE,SHA256=000000000,IMPHASH=00000000000000000000000000000000

Contents: $IE=new-object -com internetexplorer.application $IE.navigate2("www.microsoft.com") $IE.visible=$true

User: DOMAIN\user

Event Xml:

<Channel>Microsoft-Windows-Sysmon/Operational</Channel>

<Computer>User-Surface.domain.local</Computer>

</System>

<Data Name="Image">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>

<Data Name="TargetFilename">C:\Users\user\Downloads\2022\Test (8).ps1</Data>

<Data Name="Hash">MD5=616FF391A0912B09B787170AE33903EE,SHA256=E2A17C30A21F9D8430FDFF09CCD0AA71E261CE9E9188D8F2EC54AE8593F725CA,IMPHASH=00000000000000000000000000000000</Data>

<Data Name="Contents">$IE=new-object -com internetexplorer.application $IE.navigate2("www.microsoft.com") </Data>

<Data Name="User">DOMAIN\user</Data>

</EventData>

</Event>

Manuel Camona Perez

unread,

Jan 25, 2022, 4:22:39 AM1/25/22

to Wazuh mailing list

Hi again,

I am afraid to say that this use case cannot be covered right now.

As you said, the windows_eventchannel decoder is the one decoding this log. This decoder is similar to the json decoder. For your use case, you want to decode the TargetFilename again to get path, filename, and extension. This cannot be done as an already decoded field cannot be decoded again.

In future Wazuh versions, this could be possible as the way rules and decoders work will change.

Sorry for the inconvenience caused and thanks for contributing to Wazuh.

Reply all

Reply to author

Forward