Merge pull request #38 from OTRF/main

Adding XML event samples for Sysmon Windows

windows/sysmon/events/event-10.yml

@@ -71,9 +71,39 @@ event_fields:
   type: string
   description: Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call
   sample_value: C:\WINDOWS\SYSTEM32\ntdll.dll+a0344
+- standard_name: TBD
+  standard_type: TBD
+  name: SourceUser
+  type: string
+  description: Name of the account of the source process that created a thread in another process.
+  sample_value: NT AUTHORITY\SYSTEM
+- standard_name: TBD
+  standard_type: TBD
+  name: TargetUser
+  type: string
+  description: Name of the account of the target process
+  sample_value: DESKTOP-4FPBTEN\pedro
 references:
 - text: Sysmon Source
   link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/process-access.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+        <EventData>
+        <Data Name="RuleName">-</Data> 
+        <Data Name="UtcTime">2021-11-04 23:31:51.894</Data> 
+        <Data Name="SourceProcessGUID">{3710b5c6-95f1-6184-1c00-000000000d00}</Data> 
+        <Data Name="SourceProcessId">1136</Data> 
+        <Data Name="SourceThreadId">1160</Data> 
+        <Data Name="SourceImage">C:\Windows\System32\VBoxService.exe</Data> 
+        <Data Name="TargetProcessGUID">{3710b5c6-6c6b-6184-9500-000000000d00}</Data> 
+        <Data Name="TargetProcessId">1880</Data> 
+        <Data Name="TargetImage">C:\Windows\System32\smartscreen.exe</Data> 
+        <Data Name="GrantedAccess">0x1400</Data> 
+        <Data Name="CallTrace">C:\Windows\SYSTEM32\ntdll.dll+9d234|C:\Windows\System32\KERNELBASE.dll+2c0fe|C:\Windows\System32\VBoxService.exe+13357|C:\Windows\System32\VBoxService.exe+145d4|C:\Windows\System32\VBoxService.exe+1487e|C:\Windows\System32\VBoxService.exe+102bb|C:\Windows\System32\VBoxService.exe+10dc0|C:\Windows\System32\VBoxService.exe+17ee|C:\Windows\System32\VBoxService.exe+3248f|C:\Windows\System32\VBoxService.exe+3604c|C:\Windows\System32\VBoxService.exe+103653|C:\Windows\System32\VBoxService.exe+1036e7|C:\Windows\System32\KERNEL32.DLL+17034|C:\Windows\SYSTEM32\ntdll.dll+52651</Data> 
+        <Data Name="SourceUser">NT AUTHORITY\SYSTEM</Data> 
+        <Data Name="TargetUser">DESKTOP-4FPBTEN\pedro</Data> 
+        </EventData>

windows/sysmon/events/event-11.yml

@@ -47,9 +47,28 @@ event_fields:
   type: date
   description: File creation time
   sample_value: 12/4/17 17:38
+- standard_name: user_name
+  standard_type: TBD
+  name: User
+  type: string
+  description: Name of the account who created the file
+  sample_value: DESKTOP-4FPBTEN\pedro
 references:
 - text: Sysmon Source
   link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-11-filecreate
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/file-create.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data> 
+      <Data Name="UtcTime">2021-11-04 23:40:40.783</Data> 
+      <Data Name="ProcessGuid">{3710b5c6-6c2f-6184-7f00-000000000d00}</Data> 
+      <Data Name="ProcessId">4236</Data> 
+      <Data Name="Image">C:\Windows\Explorer.EXE</Data> 
+      <Data Name="TargetFilename">C:\Users\pedro\Desktop\New Text Document.txt</Data> 
+      <Data Name="CreationUtcTime">2021-11-04 23:40:40.783</Data> 
+      <Data Name="User">DESKTOP-4FPBTEN\pedro</Data> 
+      </EventData>

windows/sysmon/events/event-3.yml

@@ -119,3 +119,26 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/network-connections.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+        <EventData>
+        <Data Name="RuleName">-</Data> 
+        <Data Name="UtcTime">2021-11-03 05:01:26.226</Data> 
+        <Data Name="ProcessGuid">{3710b5c6-f3dd-6181-4000-000000000a00}</Data> 
+        <Data Name="ProcessId">2484</Data> 
+        <Data Name="Image">C:\Windows\System32\svchost.exe</Data> 
+        <Data Name="User">NT AUTHORITY\SYSTEM</Data> 
+        <Data Name="Protocol">tcp</Data> 
+        <Data Name="Initiated">true</Data> 
+        <Data Name="SourceIsIpv6">false</Data> 
+        <Data Name="SourceIp">192.168.10.8</Data> 
+        <Data Name="SourceHostname">-</Data> 
+        <Data Name="SourcePort">50026</Data> 
+        <Data Name="SourcePortName">-</Data> 
+        <Data Name="DestinationIsIpv6">false</Data> 
+        <Data Name="DestinationIp">52.167.249.196</Data> 
+        <Data Name="DestinationHostname">-</Data> 
+        <Data Name="DestinationPort">443</Data> 
+        <Data Name="DestinationPortName">-</Data> 
+        </EventData>

windows/sysmon/events/event-8.yml

@@ -77,9 +77,40 @@ event_fields:
   type: string
   description: Start function is reported if exact match to function in image export table
   sample_value: CtrlRoutine
+- standard_name: TBD
+  standard_type: TBD
+  name: SourceUser
+  type: string
+  description: Name of the account of the source process that created a thread in another process.
+  sample_value: DESKTOP-4FPBTEN\pedro
+- standard_name: TBD
+  standard_type: TBD
+  name: TargetUser
+  type: string
+  description: Name of the account of the target process
+  sample_value: NT AUTHORITY\SYSTEM
 references:
 - text: Sysmon Source
   link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-8-createremotethread
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/create-remote-thread.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+        <EventData>
+        <Data Name="RuleName">-</Data> 
+        <Data Name="UtcTime">2021-11-03 05:37:19.746</Data> 
+        <Data Name="SourceProcessGuid">{3710b5c6-1e40-6182-9000-000000000b00}</Data> 
+        <Data Name="SourceProcessId">5504</Data> 
+        <Data Name="SourceImage">C:\Windows\System32\VBoxTray.exe</Data> 
+        <Data Name="TargetProcessGuid">{3710b5c6-1d95-6182-0800-000000000b00}</Data> 
+        <Data Name="TargetProcessId">548</Data> 
+        <Data Name="TargetImage">C:\Windows\System32\csrss.exe</Data> 
+        <Data Name="NewThreadId">3920</Data> 
+        <Data Name="StartAddress">0xFFFFFD58E52520D0</Data> 
+        <Data Name="StartModule">-</Data> 
+        <Data Name="StartFunction">-</Data> 
+        <Data Name="SourceUser">DESKTOP-4FPBTEN\pedro</Data> 
+        <Data Name="TargetUser">NT AUTHORITY\SYSTEM</Data> 
+        </EventData>

windows/sysmon/events/event-9.yml

@@ -41,9 +41,27 @@ event_fields:
   type: string
   description: Target device
   sample_value: \Device\HarddiskVolume2
+- standard_name: user_name
+  standard_type: TBD
+  name: User
+  type: string
+  description: Name of the account of the process that conducted reading operations from the drive
+  sample_value: NT AUTHORITY\SYSTEM
 references:
 - text: Sysmon Source
   link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-9-rawaccessread
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/raw-access-read.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+        <EventData>
+        <Data Name="RuleName">-</Data> 
+        <Data Name="UtcTime">2021-11-04 23:30:24.705</Data> 
+        <Data Name="ProcessGuid">{3710b5c6-6bc3-6184-1f00-000000000d00}</Data> 
+        <Data Name="ProcessId">1200</Data> 
+        <Data Name="Image">C:\Windows\System32\svchost.exe</Data> 
+        <Data Name="Device">\Device\HarddiskVolume2</Data> 
+        <Data Name="User">NT AUTHORITY\SYSTEM</Data> 
+        </EventData>