Thanks Brent.! Funny enough, that day I figured it out and built a whole bunch very similar to your list. Seems to be working very nicely, as now I find myself leaning to creating some down right creative composites.... (finally)
I've been looking for some reference material on the <extra_data> tag? How is this used properly? Cheers! Rob On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote: > > Rob - can you post your OSSEC version of the log? I can check my rules. > These are a culmination of gleaned rules that I updated some time back > with new event IDs. Yours is covered in there.... but I would like to > test it against a valid OSSEC log. So if you can post it from the OSSEC > logs, that'd be great. > > Here they are.. > > </group> > <!-- Microsoft Security Essentials rules --> > <!-- see https://technet.microsoft.com/en-us/library/hh144989.aspx --> > <group name="windows,mse,"> > <rule id="720001" level="0"> > <category>windows</category> > <if_sid>18101,18102,18103</if_sid> > <extra_data>^Microsoft Antimalware</extra_data> > <description>Grouping of Microsoft Security Essentials > rules.</description> > </rule> > > <rule id="720010" level="12"> > <if_sid>720001</if_sid> > <id>^1118$|^1119$</id> > <group>virus,</group> > <description>Microsoft Security Essentials - Virus detected, but > unable to remove.</description> > </rule> > <rule id="720011" level="7"> > <if_sid>720001</if_sid> > <id>^1117$</id> > <group>virus,</group> > <description>Microsoft Security Essentials - Virus detected and > properly removed.</description> > </rule> > > <rule id="720012" level="7"> > <if_sid>720001</if_sid> > <id>^1119$|^1118$|^1117$|^1116$</id> > <group>virus,</group> > <description>Microsoft Security Essentials - Virus > detected.</description> > </rule> > > <rule id="720013" level="7"> > <if_sid>720001</if_sid> > <id>^1015$</id> > <group>virus,</group> > <description>Microsoft Security Essentials - Suspicious activity > detected.</description> > </rule> > > <!-- Service conditions and errors --> > <rule id="720020" level="3"> > <if_sid>720001</if_sid> > <id>^5007$</id> > <description>Microsoft Security Essentials - Configuration > changed.</description> > <group>policy_changed,</group> > </rule> > <rule id="720021" level="9"> > <if_sid>720001</if_sid> > <id>^5008$</id> > <description>Microsoft Security Essentials - Service > failed.</description> > </rule> > <rule id="720022" level="9"> > <if_sid>720001</if_sid> > <id>^3002$</id> > <description>Microsoft Security Essentials - Real time protection > failed.</description> > </rule> > <rule id="720023" level="8"> > <if_sid>720001</if_sid> > <id>^2012$</id> > <description>Microsoft Security Essentials - Cannot use Dynamic > Signature Service.</description> > </rule> > <rule id="720024" level="8"> > <if_sid>720001</if_sid> > <id>^2004$</id> > <description>Microsoft Security Essentials - Loading definitions > failed. Using last good set.</description> > </rule> > <rule id="720025" level="8"> > <if_sid>720001</if_sid> > <id>^2003$</id> > <description>Microsoft Security Essentials - Engine update > failed.</description> > </rule> > <rule id="720026" level="8"> > <if_sid>720001</if_sid> > <id>^2001$</id> > <description>Microsoft Security Essentials - Definitions update > failed.</description> > </rule> > <rule id="720027" level="7"> > <if_sid>720001</if_sid> > <id>^1005$</id> > <description>Microsoft Security Essentials - Scan error. Scan has > stopped.</description> > </rule> > <rule id="720028" level="5"> > <if_sid>720001</if_sid> > <id>^1002$</id> > <description>Microsoft Security Essentials - Scan stopped before > completion.</description> > </rule> > > <!-- EICAR test file special case --> > <!-- www.eicar.org/86-0-Intended-use.html --> > <rule id="720041" level="5"> > <if_sid>720012</if_sid> > <match>Virus:DOS/EICAR_Test_File</match> > <options>alert_by_email</options> > <description>Microsoft Security Essentials - EICAR test file > detected.</description> > </rule> > <rule id="720042" level="3"> > <if_sid>720011</if_sid> > <match>Virus:DOS/EICAR_Test_File</match> > <options>alert_by_email</options> > <description>Microsoft Security Essentials - EICAR test file > removed.</description> > </rule> > <rule id="720043" level="8"> > <if_sid>720010</if_sid> > <match>Virus:DOS/EICAR_Test_File</match> > <options>alert_by_email</options> > <description>Microsoft Security Essentials - EICAR test file detected, > but removal failed.</description> > </rule> > > <!-- Status messages --> > <rule id="720050" level="3"> > <if_sid>720001</if_sid> > <id>^2000$</id> > <description>Microsoft Security Essentials - Signature database > updated.</description> > </rule> > <rule id="720051" level="3"> > <if_sid>720001</if_sid> > <id>^2002$</id> > <description>Microsoft Security Essentials - Scan engine > updated.</description> > </rule> > <rule id="720053" level="3"> > <if_sid>720001</if_sid> > <id>^1000$|^1001$</id> > <description>Microsoft Security Essentials - Scan started or > stopped.</description> > </rule> > <rule id="720054" level="4"> > <if_sid>720001</if_sid> > <id>^1013$</id> > <description>Microsoft Security Essentials - History > cleared.</description> > </rule> > > <!-- Time based alerts --> > <rule id="720070" level="10" frequency="4" timeframe="240"> > <if_matched_sid>720011</if_matched_sid> > <description>Multiple Microsoft Security Essentials AV warnings > detected.</description> > </rule> > <rule id="720071" level="10" frequency="4" timeframe="240"> > <if_matched_sid>720012</if_matched_sid> > <description>Multiple Microsoft Security Essentials AV warnings > detected.</description> > </rule> > > </group> <!-- mse --> > > > On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote: >> >> Hello All, >> >> Does anyone have a decoder for Windows Defender floating around out >> there?? >> >> Im having a heck of a time... Here is the event channel event example >> if anyone is curious or can help: (Win10 box) >> >> Log Name: Microsoft-Windows-Windows Defender/Operational >> Source: Microsoft-Windows-Windows Defender >> Date: 4/22/2016 4:05:17 PM >> Event ID: 1116 >> Task Category: None >> Level: Warning >> Keywords: >> User: SYSTEM >> Computer: VICTIM0 >> Description: >> Windows Defender has detected malware or other potentially unwanted >> software. >> For more information please see the following: >> >> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 >> Name: Trojan:Win32/Bagsu!rfn >> ID: 2147694406 >> Severity: Severe >> Category: Trojan >> Path: >> containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe) >> Detection Origin: Network share >> Detection Type: Concrete >> Detection Source: Real-Time Protection >> User: frog >> Process Name: C:\Windows\explorer.exe >> Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: 115.8.0.0 >> Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0 >> >> Event Xml: >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >> <System> >> <Provider Name="Microsoft-Windows-Windows Defender" >> Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" /> >> <EventID>1116</EventID> >> <Version>0</Version> >> <Level>3</Level> >> <Task>0</Task> >> <Opcode>0</Opcode> >> <Keywords>0x8000000000000000</Keywords> >> <TimeCreated SystemTime="2016-04-22T20:05:17.551083000Z" /> >> <EventRecordID>95</EventRecordID> >> <Correlation ActivityID="{ECC2B320-F9A6-41AD-9F17-5C9EE24D3330}" /> >> <Execution ProcessID="2332" ThreadID="4540" /> >> <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> >> <Computer>VICTIM0</Computer> >> <Security UserID="S-1-5-77" /> >> </System> >> <EventData> >> <Data Name="Product Name">%%827</Data> >> <Data Name="Product Version">4.9.10586.0</Data> >> <Data Name="Detection >> ID">{CAADD684-36C9-444B-8A6D-8CE537A93E40}</Data> >> <Data Name="Detection Time">2016-04-22T20:04:40.369Z</Data> >> <Data Name="Unused"> >> </Data> >> <Data Name="Unused2"> >> </Data> >> <Data Name="Threat ID">2147694406</Data> >> <Data Name="Threat Name">Trojan:Win32/Bagsu!rfn</Data> >> <Data Name="Severity ID">5</Data> >> <Data Name="Severity Name">Severe</Data> >> <Data Name="Category ID">8</Data> >> <Data Name="Category Name">Trojan</Data> >> <Data Name="FWLink"> >> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 >> </Data> >> <Data Name="Status Code">1</Data> >> <Data Name="Status Description"> >> </Data> >> <Data Name="State">1</Data> >> <Data Name="Source ID">3</Data> >> <Data Name="Source Name">%%818</Data> >> <Data Name="Process Name">C:\Windows\explorer.exe</Data> >> <Data Name="Detection User">frog</Data> >> <Data Name="Unused3"> >> </Data> >> <Data >> Name="Path">containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)</Data> >> <Data Name="Origin ID">2</Data> >> <Data Name="Origin Name">%%846</Data> >> <Data Name="Execution ID">1</Data> >> <Data Name="Execution Name">%%813</Data> >> <Data Name="Type ID">0</Data> >> <Data Name="Type Name">%%822</Data> >> <Data Name="Pre Execution Status">0</Data> >> <Data Name="Action ID">9</Data> >> <Data Name="Action Name">%%887</Data> >> <Data Name="Unused4"> >> </Data> >> <Data Name="Error Code">0x00000000</Data> >> <Data Name="Error Description">The operation completed successfully. >> </Data> >> <Data Name="Unused5"> >> </Data> >> <Data Name="Post Clean Status">0</Data> >> <Data Name="Additional Actions ID">0</Data> >> <Data Name="Additional Actions String">No additional actions >> required</Data> >> <Data Name="Remediation User"> >> </Data> >> <Data Name="Unused6"> >> </Data> >> <Data Name="Signature Version">AV: 1.217.2054.0, AS: 1.217.2054.0, >> NIS: 115.8.0.0</Data> >> <Data Name="Engine Version">AM: 1.1.12603.0, NIS: 2.1.11804.0</Data> >> </EventData> >> </Event> >> >> >> Thanks!, Rob >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.