Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Sysmon module for v13.01 (EID 24 and 25) #24217

Closed
crimsoncore opened this issue Feb 24, 2021 · 7 comments · Fixed by #24945
Closed

Update Sysmon module for v13.01 (EID 24 and 25) #24217

crimsoncore opened this issue Feb 24, 2021 · 7 comments · Fixed by #24945
Assignees
@marc-gr
Labels
enhancement

Comments

@crimsoncore
Copy link

Sysmon event ID 24 and 25 are missing from winlogbeat-sysmon.js
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 24, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 25, 2021
@jamiehynds
Copy link

Hi @crimsoncore - support for Sysmon v13 is being tracked in this issue, which we plan on addressing soon: #21172

Could you provide sample events (sanitised is fine) for event ID 24 and 25? Thanks!

@crimsoncore
Copy link
Author

crimsoncore commented Feb 25, 2021
edited
Loading

Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 25/02/2021 10:45:37
Event ID: 24
Task Category: Clipboard changed (rule: ClipboardChange)
Level: Information
Keywords:
User: SYSTEM
Computer: DESKTOP-I9CQVAQ
Description:
Clipboard changed:
RuleName: -
UtcTime: 2021-02-25 09:45:37.522
ProcessGuid: {9497d8d9-70c6-6037-3b12-000000001000}
ProcessId: 10076
Image: C:\Windows\System32\mmc.exe
Session: 1
ClientInfo: user: DESKTOP-I9CQVAQ\luks
Hashes: SHA256=6BF6A6B5581A66B2571701A77897D3F16F6A5CF24DDA966C61C6B42C2E8C02BC,IMPHASH=00000000000000000000000000000000
Archived: true

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
    <EventID>24</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>24</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2021-02-25T09:45:37.535298300Z" />
    <EventRecordID>10454780</EventRecordID>
    <Correlation />
    <Execution ProcessID="3800" ThreadID="204" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>DESKTOP-I9CQVAQ</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2021-02-25 09:45:37.522</Data>
    <Data Name="ProcessGuid">{9497d8d9-70c6-6037-3b12-000000001000}</Data>
    <Data Name="ProcessId">10076</Data>
    <Data Name="Image">C:\Windows\System32\mmc.exe</Data>
    <Data Name="Session">1</Data>
    <Data Name="ClientInfo">user: DESKTOP-I9CQVAQ\luks</Data>
    <Data Name="Hashes">SHA256=6BF6A6B5581A66B2571701A77897D3F16F6A5CF24DDA966C61C6B42C2E8C02BC,IMPHASH=00000000000000000000000000000000</Data>
    <Data Name="Archived">true</Data>
  </EventData>
</Event>

@crimsoncore
Copy link
Author

crimsoncore commented Feb 25, 2021
edited
Loading

EventID 24

Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 25/02/2021 10:45:24
Event ID: 25
Task Category: Process Tampering (rule: ProcessTampering)
Level: Information
Keywords:
User: SYSTEM
Computer: DESKTOP-I9CQVAQ
Description:
Process Tampering:
RuleName: -
UtcTime: 2021-02-25 09:45:24.484
ProcessGuid: {9497d8d9-71b4-6037-4912-000000001000}
ProcessId: 12804
Image: C:\Program Files\Google\Chrome\Application\chrome.exe
Type: Image is replaced

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
    <EventID>25</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>25</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2021-02-25T09:45:24.485747700Z" />
    <EventRecordID>10452838</EventRecordID>
    <Correlation />
    <Execution ProcessID="3800" ThreadID="5080" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>DESKTOP-I9CQVAQ</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2021-02-25 09:45:24.484</Data>
    <Data Name="ProcessGuid">{9497d8d9-71b4-6037-4912-000000001000}</Data>
    <Data Name="ProcessId">12804</Data>
    <Data Name="Image">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>
    <Data Name="Type">Image is replaced</Data>
  </EventData>
</Event>

@jamiehynds
Copy link

Thanks @crimsoncore, really helpful! Is there any chance you could export those two events to evtx from the Windows Event Viewer. We'll have all we need to update the module from there.

@crimsoncore
Copy link
Author

crimsoncore commented Feb 25, 2021
edited
Loading

Here you go
Archive.zip

@jamiehynds
Copy link

Thanks very much @crimsoncore!

FYI @andrewkroh

@jamiehynds jamiehynds mentioned this issue Mar 1, 2021
Closed
@marc-gr marc-gr mentioned this issue Apr 6, 2021
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marc-gr marc-gr

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[winlogbeat] Add support for sysmon v13 events 24 and 25 marc-gr/beats
5 participants
@andresrc @marc-gr @elasticmachine @crimsoncore @jamiehynds