diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f0e86715..75bc099f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
# Change Log
All notable changes to this project will be documented in this file.
+## [v1.01] - 2015-11-24
+### Fixed
+- All sysmon decoders have *windows* as parent.
+
## [v1.00] - 2015-11-21
### Added
- Puppet Decoders & Rules.
diff --git a/VERSION b/VERSION
index 1e376f661..f2457ad8b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.00
+1.01
diff --git a/rules-decoders/decoder.xml b/rules-decoders/decoder.xml
index fc3006210..9abe69de7 100644
--- a/rules-decoders/decoder.xml
+++ b/rules-decoders/decoder.xml
@@ -2673,26 +2673,37 @@ Author and (c): Michael Starks, 2014 -->
+
+
+
-->
-windows
-INFORMATION\(1\)\.+HashType
-Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:
-status,user,url,data
+ windows
+ windows
+ INFORMATION\(1\)\.+HashType
+ Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:
+ status,user,url,data
-windows
-INFORMATION\(1\)\.+Hashes
-Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*Hashes: \S+=(\S*)\s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*.\S+) \s*ParentCommandLine:
-status,user,url,data
+ windows
+ windows
+ INFORMATION\(1\)\.+Hashes
+ Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*Hashes: \S+=(\S*)\s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*.\S+) \s*ParentCommandLine:
+ status,user,url,data
@@ -2732,9 +2745,10 @@ Event ID 2: A process changed a file creation time
- dstport = CreationUtcTime
Example:
-2015 Nov 19 18:32:16 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 18:32:16 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(2): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: File creation time changed: UtcTime: 2015-11-19 17:32:16.578 ProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ProcessId: 576 Image: C:\Program Files\Internet Explorer\iexplore.exe TargetFilename: C:\Users\Administrator.WIN-K3UD9R5LCEL\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QK9FKZ7I2DSU0MTCD160.temp CreationUtcTime: 2015-11-19 03:28:08.281 PreviousCreationUtcTime: 2015-11-19 17:32:16.578
+2015 Nov 19 18:32:16 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(2): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: File creation time changed: UtcTime: 2015-11-19 17:32:16.578 ProcessGuid: {0B364D7C-FE43-564D-0000-0010F1720200} ProcessId: 576 Image: C:\Program Files\Internet Explorer\iexplore.exe TargetFilename: C:\Users\Administrator.WIN-K3UD9R5LCEL\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QK9FKZ7I2DSU0MTCD160.temp CreationUtcTime: 2015-11-19 03:28:08.281 PreviousCreationUtcTime: 2015-11-19 17:32:16.578
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(2\)
Image: (\.*)\s+TargetFilename: (\.*)\s+CreationUtcTime: (\.*)\s+PreviousCreationUtcTime: (\.*)
@@ -2755,9 +2769,10 @@ Event ID 3: Network connection
- dstport = DestinationPort
Example:
-2015 Nov 19 20:33:25 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https
+2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(3\)
Image: (\.*)\s+User: (\.*)\s+Protocol: (\S*)\s+Initiated\.+SourceIp: (\S*)\s+SourceHostname\.+SourcePort: (\S*)\s+SourcePortName:\.+DestinationIsIpv6\.+DestinationIp: (\S*)\s+DestinationHostname:\.+\s+DestinationPort: (\S*)
@@ -2773,10 +2788,10 @@ Event ID 4: Sysmon service state changed
Example:
-2015 Nov 19 20:33:07 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:27:42 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(4): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Sysmon service state changed: UtcTime: 2015-11-19 19:27:42.796 State: Started
-
+2015 Nov 19 20:27:42 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(4): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Sysmon service state changed: UtcTime: 2015-11-19 19:27:42.796 State: Started
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(4\)
State: (\S*)
@@ -2792,9 +2807,10 @@ Event ID 5: Process terminated
Example:
-2015 Nov 19 20:41:59 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 19 20:41:57 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(5): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process terminated: UtcTime: 2015-11-19 19:41:57.648 ProcessGuid: {0B364D7C-2353-564E-0000-001025511000} ProcessId: 2196 Image: C:\Windows\System32\wbem\WmiPrvSE.exe
+2015 Nov 19 20:41:57 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(5): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Process terminated: UtcTime: 2015-11-19 19:41:57.648 ProcessGuid: {0B364D7C-2353-564E-0000-001025511000} ProcessId: 2196 Image: C:\Windows\System32\wbem\WmiPrvSE.exe
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(5\)
Image: (\S*)
@@ -2812,9 +2828,10 @@ Event ID 6: Driver loaded
- extra_data = Signature
Example:
-2015 Nov 20 11:02:26 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:01:41 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(6): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Driver loaded: UtcTime: 2015-11-20 10:01:41.765 ImageLoaded: C:\Windows\System32\drivers\cdrom.sys Hashes: SHA1=89204964B695862C31B10AB7129EC96B66C78F89 Signed: true Signature: Microsoft Windows
+2015 Nov 20 11:01:41 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(6): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Driver loaded: UtcTime: 2015-11-20 10:01:41.765 ImageLoaded: C:\Windows\System32\drivers\cdrom.sys Hashes: SHA1=89204964B695862C31B10AB7129EC96B66C78F89 Signed: true Signature: Microsoft Windows
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(6\)
ImageLoaded: (\S*)\s+Hashes: \S+=(\S*)\s+Signed: (\S*)\s+Signature: (\.*)
@@ -2833,9 +2850,10 @@ Event ID 7: Image loaded
- extra_data = Signature
Example:
-2015 Nov 20 11:26:14 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:26:13 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(7): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Image loaded: UtcTime: 2015-11-20 10:26:13.672 ProcessGuid: {0B364D7C-F545-564E-0000-001085D69400} ProcessId: 2216 Image: C:\Windows\System32\cmd.exe ImageLoaded: C:\Windows\System32\msctf.dll Hashes: SHA1=E425577CCFC9B92EFBBCB760D21FCAA478D3E51A Signed: true Signature: Microsoft Windows
+2015 Nov 20 11:26:13 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(7): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Image loaded: UtcTime: 2015-11-20 10:26:13.672 ProcessGuid: {0B364D7C-F545-564E-0000-001085D69400} ProcessId: 2216 Image: C:\Windows\System32\cmd.exe ImageLoaded: C:\Windows\System32\msctf.dll Hashes: SHA1=E425577CCFC9B92EFBBCB760D21FCAA478D3E51A Signed: true Signature: Microsoft Windows
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(7\)
Image: (\S*)\s+ImageLoaded: (\S*)\s+Hashes: \S+=(\S*)\s+Signed: (\S*)\s+Signature: (\.*)
@@ -2854,9 +2872,10 @@ Event ID 8: CreateRemoteThread
- extra_data = StartFunction
Example:
-2015 Nov 20 11:25:45 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 20 11:25:44 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: CreateRemoteThread detected: UtcTime: 2015-11-20 10:25:44.562 SourceProcessGuid: {0B364D7C-E952-564E-0000-00104C3B0000} SourceProcessId: 388 SourceImage: C:\Windows\System32\csrss.exe TargetProcessGuid: {0B364D7C-EF10-564E-0000-001010EA0700} TargetProcessId: 1152 TargetImage: C:\Windows\System32\cmd.exe NewThreadId: 2128 StartAddress: 0x00000000777F4910 StartModule: C:\Windows\system32\kernel32.dll StartFunction: CtrlRoutine
+2015 Nov 20 11:25:44 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: CreateRemoteThread detected: UtcTime: 2015-11-20 10:25:44.562 SourceProcessGuid: {0B364D7C-E952-564E-0000-00104C3B0000} SourceProcessId: 388 SourceImage: C:\Windows\System32\csrss.exe TargetProcessGuid: {0B364D7C-EF10-564E-0000-001010EA0700} TargetProcessId: 1152 TargetImage: C:\Windows\System32\cmd.exe NewThreadId: 2128 StartAddress: 0x00000000777F4910 StartModule: C:\Windows\system32\kernel32.dll StartFunction: CtrlRoutine
-->
+ windows
windows
Microsoft-Windows-Sysmon/Operational: INFORMATION\(8\)
SourceImage: (\S*)\s+\.+TargetImage: (\S*)\s+\.+StartModule: (\S*)\s+StartFunction: (\.*)