-
Notifications
You must be signed in to change notification settings - Fork 207
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1bcf289
commit d5fa4ea
Showing
3 changed files
with
54 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 1.00 | ||
| 1.01 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2673,44 +2673,57 @@ Author and (c): Michael Starks, 2014 --> | |
| </decoder> | ||
|
|
||
| <!-- sysmon decoder --> | ||
| <!-- | ||
| - v1.1 2015/11/24 | ||
| - Event 1 | ||
| - Originally created by Josh Brower, [email protected] | ||
| - Updated by Wazuh for support new logs: | ||
| - OLD version: "[...] HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 [...] " | ||
| - NEW version: "[...] Hashes: SHA1=9FEF303BEDF8430403915951564E0D9888F6F365 [...] " | ||
| - Event 2-8 | ||
| - Created by Wazuh <[email protected]>. | ||
| - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2 | ||
| --> | ||
|
|
||
|
|
||
| <!-- | ||
| - Decoder for Sysmon Event ID 1: Process Created | ||
| Event ID 1: Process Created | ||
| - Originally created by Josh Brower, [email protected] | ||
| - Updated and maintained by Wazuh, 2015/11/19 | ||
| - New sysmon version has a different log: | ||
| - OLD version: "HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365" | ||
| - NEW version: "Hashes: SHA1=9FEF303BEDF8430403915951564E0D9888F6F365" | ||
| - OSSEC to Sysmon Fields Mapping: | ||
| - user = User | ||
| - status = Image | ||
| - url = Hash | ||
| - extra_data = ParentImage | ||
| - OSSEC to Sysmon Fields Mapping: | ||
| - user = User | ||
| - status = Image | ||
| - url = Hash | ||
| - extra_data = ParentImage | ||
| - Examples Old version: | ||
| - 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE | ||
| - 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE | ||
| - Examples New version*: | ||
| - 2015 Nov 19 18:32:31 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 18:32:31 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process Create: UtcTime: 2015-11-19 17:32:31.562 ProcessGuid: {0B364D7C-07AF-564E-0000-001098C90800} ProcessId: 2188 Image: C:\Windows\System32\rundll32.exe CommandLine: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000 CurrentDirectory: C:\Users\Administrator.WIN-K3UD9R5LCEL\Desktop\ User: WIN-K3UD9R5LCEL\Administrator LogonGuid: {0B364D7C-FDDB-564D-0000-00209CA10100} LogonId: 0x1a19c TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=963B55ACC8C566876364716D5AAFA353995812A8 ParentProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ParentProcessId: 576 ParentImage: C:\Program Files\Internet Explorer\iexplore.exe ParentCommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" | ||
| - 2015 Nov 19 18:32:31 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process Create: UtcTime: 2015-11-19 17:32:31.562 ProcessGuid: {0B364D7C-07AF-564E-0000-001098C90800} ProcessId: 2188 Image: C:\Windows\System32\rundll32.exe CommandLine: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000 CurrentDirectory: C:\Users\Administrator.WIN-K3UD9R5LCEL\Desktop\ User: WIN-K3UD9R5LCEL\Administrator LogonGuid: {0B364D7C-FDDB-564D-0000-00209CA10100} LogonId: 0x1a19c TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=963B55ACC8C566876364716D5AAFA353995812A8 ParentProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ParentProcessId: 576 ParentImage: C:\Program Files\Internet Explorer\iexplore.exe ParentCommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" | ||
| - With option <HashAlgorithms>*</HashAlgorithms> the log would be: | ||
| ...Hashes: SHA1=8F86B5A06E440A9B60AC591F814F6A8FCA58DC1D,MD5=E3BD0CF8CD561F4D33255B2E6EB0C987,SHA256=B8BC88623FD2DCDB81A31777B4B82F7A24BA6086A8A58A00B4AF198DE8CB307D,IMPHASH=8F2AF1C4B2891D7DD75333449A5C4131 ParentProcessGuid... | ||
| The new decoder captures everything between "=" and "ParentProcessGuid". | ||
| --> | ||
|
|
||
| <decoder name="Sysmon-EventID#1"> | ||
| <type>windows</type> | ||
| <prematch>INFORMATION\(1\)\.+HashType</prematch> | ||
| <regex>Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> | ||
| <order>status,user,url,data</order> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>INFORMATION\(1\)\.+HashType</prematch> | ||
| <regex>Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> | ||
| <order>status,user,url,data</order> | ||
| </decoder> | ||
|
|
||
| <decoder name="Sysmon-EventID#1_new"> | ||
| <type>windows</type> | ||
| <prematch>INFORMATION\(1\)\.+Hashes</prematch> | ||
| <regex>Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*Hashes: \S+=(\S*)\s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*.\S+) \s*ParentCommandLine:</regex> | ||
| <order>status,user,url,data</order> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>INFORMATION\(1\)\.+Hashes</prematch> | ||
| <regex>Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*Hashes: \S+=(\S*)\s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*.\S+) \s*ParentCommandLine:</regex> | ||
| <order>status,user,url,data</order> | ||
| </decoder> | ||
|
|
||
|
|
||
|
|
@@ -2732,9 +2745,10 @@ Event ID 2: A process changed a file creation time | |
| - dstport = CreationUtcTime | ||
| Example: | ||
| 2015 Nov 19 18:32:16 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 18:32:16 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(2): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: File creation time changed: UtcTime: 2015-11-19 17:32:16.578 ProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ProcessId: 576 Image: C:\Program Files\Internet Explorer\iexplore.exe TargetFilename: C:\Users\Administrator.WIN-K3UD9R5LCEL\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QK9FKZ7I2DSU0MTCD160.temp CreationUtcTime: 2015-11-19 03:28:08.281 PreviousCreationUtcTime: 2015-11-19 17:32:16.578 | ||
| 2015 Nov 19 18:32:16 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(2): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: File creation time changed: UtcTime: 2015-11-19 17:32:16.578 ProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ProcessId: 576 Image: C:\Program Files\Internet Explorer\iexplore.exe TargetFilename: C:\Users\Administrator.WIN-K3UD9R5LCEL\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QK9FKZ7I2DSU0MTCD160.temp CreationUtcTime: 2015-11-19 03:28:08.281 PreviousCreationUtcTime: 2015-11-19 17:32:16.578 | ||
| --> | ||
| <decoder name="Sysmon-EventID#2"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(2\)</prematch> | ||
| <regex offset="after_prematch">Image: (\.*)\s+TargetFilename: (\.*)\s+CreationUtcTime: (\.*)\s+PreviousCreationUtcTime: (\.*)</regex> | ||
|
|
@@ -2755,9 +2769,10 @@ Event ID 3: Network connection | |
| - dstport = DestinationPort | ||
| Example: | ||
| 2015 Nov 19 20:33:25 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https | ||
| 2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https | ||
| --> | ||
| <decoder name="Sysmon-EventID#3"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(3\)</prematch> | ||
| <regex offset="after_prematch">Image: (\.*)\s+User: (\.*)\s+Protocol: (\S*)\s+Initiated\.+SourceIp: (\S*)\s+SourceHostname\.+SourcePort: (\S*)\s+SourcePortName:\.+DestinationIsIpv6\.+DestinationIp: (\S*)\s+DestinationHostname:\.+\s+DestinationPort: (\S*)</regex> | ||
|
|
@@ -2773,10 +2788,10 @@ Event ID 4: Sysmon service state changed | |
| Example: | ||
| 2015 Nov 19 20:33:07 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:27:42 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(4): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Sysmon service state changed: UtcTime: 2015-11-19 19:27:42.796 State: Started | ||
| 2015 Nov 19 20:27:42 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(4): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Sysmon service state changed: UtcTime: 2015-11-19 19:27:42.796 State: Started | ||
| --> | ||
| <decoder name="Sysmon-EventID#4"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(4\)</prematch> | ||
| <regex offset="after_prematch">State: (\S*)</regex> | ||
|
|
@@ -2792,9 +2807,10 @@ Event ID 5: Process terminated | |
| Example: | ||
| 2015 Nov 19 20:41:59 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:41:57 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(5): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process terminated: UtcTime: 2015-11-19 19:41:57.648 ProcessGuid: {0B364D7C-2353-564E-0000-001025511000} ProcessId: 2196 Image: C:\Windows\System32\wbem\WmiPrvSE.exe | ||
| 2015 Nov 19 20:41:57 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(5): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process terminated: UtcTime: 2015-11-19 19:41:57.648 ProcessGuid: {0B364D7C-2353-564E-0000-001025511000} ProcessId: 2196 Image: C:\Windows\System32\wbem\WmiPrvSE.exe | ||
| --> | ||
| <decoder name="Sysmon-EventID#5"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(5\)</prematch> | ||
| <regex offset="after_prematch">Image: (\S*)</regex> | ||
|
|
@@ -2812,9 +2828,10 @@ Event ID 6: Driver loaded | |
| - extra_data = Signature | ||
| Example: | ||
| 2015 Nov 20 11:02:26 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:01:41 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(6): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Driver loaded: UtcTime: 2015-11-20 10:01:41.765 ImageLoaded: C:\Windows\System32\drivers\cdrom.sys Hashes: SHA1=89204964B695862C31B10AB7129EC96B66C78F89 Signed: true Signature: Microsoft Windows | ||
| 2015 Nov 20 11:01:41 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(6): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Driver loaded: UtcTime: 2015-11-20 10:01:41.765 ImageLoaded: C:\Windows\System32\drivers\cdrom.sys Hashes: SHA1=89204964B695862C31B10AB7129EC96B66C78F89 Signed: true Signature: Microsoft Windows | ||
| --> | ||
| <decoder name="Sysmon-EventID#6"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(6\)</prematch> | ||
| <regex offset="after_prematch">ImageLoaded: (\S*)\s+Hashes: \S+=(\S*)\s+Signed: (\S*)\s+Signature: (\.*)</regex> | ||
|
|
@@ -2833,9 +2850,10 @@ Event ID 7: Image loaded | |
| - extra_data = Signature | ||
| Example: | ||
| 2015 Nov 20 11:26:14 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:26:13 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(7): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Image loaded: UtcTime: 2015-11-20 10:26:13.672 ProcessGuid: {0B364D7C-F545-564E-0000-001085D69400} ProcessId: 2216 Image: C:\Windows\System32\cmd.exe ImageLoaded: C:\Windows\System32\msctf.dll Hashes: SHA1=E425577CCFC9B92EFBBCB760D21FCAA478D3E51A Signed: true Signature: Microsoft Windows | ||
| 2015 Nov 20 11:26:13 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(7): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Image loaded: UtcTime: 2015-11-20 10:26:13.672 ProcessGuid: {0B364D7C-F545-564E-0000-001085D69400} ProcessId: 2216 Image: C:\Windows\System32\cmd.exe ImageLoaded: C:\Windows\System32\msctf.dll Hashes: SHA1=E425577CCFC9B92EFBBCB760D21FCAA478D3E51A Signed: true Signature: Microsoft Windows | ||
| --> | ||
| <decoder name="Sysmon-EventID#7"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(7\)</prematch> | ||
| <regex offset="after_prematch">Image: (\S*)\s+ImageLoaded: (\S*)\s+Hashes: \S+=(\S*)\s+Signed: (\S*)\s+Signature: (\.*)</regex> | ||
|
|
@@ -2854,9 +2872,10 @@ Event ID 8: CreateRemoteThread | |
| - extra_data = StartFunction | ||
| Example: | ||
| 2015 Nov 20 11:25:45 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:25:44 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: CreateRemoteThread detected: UtcTime: 2015-11-20 10:25:44.562 SourceProcessGuid: {0B364D7C-E952-564E-0000-00104C3B0000} SourceProcessId: 388 SourceImage: C:\Windows\System32\csrss.exe TargetProcessGuid: {0B364D7C-EF10-564E-0000-001010EA0700} TargetProcessId: 1152 TargetImage: C:\Windows\System32\cmd.exe NewThreadId: 2128 StartAddress: 0x00000000777F4910 StartModule: C:\Windows\system32\kernel32.dll StartFunction: CtrlRoutine | ||
| 2015 Nov 20 11:25:44 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: CreateRemoteThread detected: UtcTime: 2015-11-20 10:25:44.562 SourceProcessGuid: {0B364D7C-E952-564E-0000-00104C3B0000} SourceProcessId: 388 SourceImage: C:\Windows\System32\csrss.exe TargetProcessGuid: {0B364D7C-EF10-564E-0000-001010EA0700} TargetProcessId: 1152 TargetImage: C:\Windows\System32\cmd.exe NewThreadId: 2128 StartAddress: 0x00000000777F4910 StartModule: C:\Windows\system32\kernel32.dll StartFunction: CtrlRoutine | ||
| --> | ||
| <decoder name="Sysmon-EventID#8"> | ||
| <parent>windows</parent> | ||
| <type>windows</type> | ||
| <prematch>Microsoft-Windows-Sysmon/Operational: INFORMATION\(8\)</prematch> | ||
| <regex offset="after_prematch">SourceImage: (\S*)\s+\.+TargetImage: (\S*)\s+\.+StartModule: (\S*)\s+StartFunction: (\.*)</regex> | ||
|
|
||