Sysmon relation between multiple rules for the same field

János Szigetvári 46 Reputation points
2022-11-28T14:45:32.88+00:00

Dear Members,

I am relatively new to Sysmon, and I have to create a sysmon ruleset.
My intention would be to monitor file deletions and the creation of new files in a certain directory, with a certain file extension.
However I noticed that the ruleset is not entirely behaving as I intended.
The problem is that the rules seem to be evaluated as if there was an OR relation between them, while I would like them to behave as having an AND relation between them.
This is the relevant part of my ruleset: 

<Sysmon schemaversion="4.50">  
	<EventFiltering>  
...  
		<RuleGroup name="23-eeee-bins" groupRelation="and">  
			<FileDelete onmatch="include">  
				<TargetFilename name="" condition="begin with">C:\Program Files\eeee</TargetFilename>  
				<TargetFilename name="" condition="end with">.exe</TargetFilename>  
			</FileDelete>  
		</RuleGroup>  
	  
		<RuleGroup name="23-eeee-libs" groupRelation="and">  
			<FileDelete onmatch="include">  
				<TargetFilename name="" condition="begin with">C:\Program Files\eeee</TargetFilename>  
				<TargetFilename name="" condition="end with">.dll</TargetFilename>  
			</FileDelete>  
		</RuleGroup>  
...  
	</EventFiltering>  
</Sysmon>

In practice I noticed that the ruleset picked up the creation of dll files outside of the folder of interest too, and that's not what I want.
How could I force that both rules inside the rulegroup must be true for the auditing to happen?

Thanks in advance!

Best Regards,
János

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments
Accepted answer
  1. Michael_N 961 Reputation points
    2022-11-28T16:33:09.303+00:00

    @János Szigetvári , there are many ways to "design" a Sysmon configuration file but personally I would write your code like this instead (with an outer OR-based RuleGroup and two inner Rules): 

    <Sysmon schemaversion="4.50">  
     <EventFiltering>  
 ...  
        <!-- Event ID 23: FileDelete (A file delete was detected) -->  
  
        <RuleGroup name="FileDelete - Include" groupRelation="or">  
            <FileDelete onmatch="include">  
              
                <Rule name="Exe case" groupRelation="and">  
                    <TargetFilename condition="begin with">C:\Program Files\eeee</TargetFilename>  
                    <TargetFilename condition="end with">.exe</TargetFilename>  
                </Rule>   
              
                <Rule name="Dll case" groupRelation="and">  
                    <TargetFilename condition="begin with">C:\Program Files\eeee</TargetFilename>  
                    <TargetFilename condition="end with">.dll</TargetFilename>  
                </Rule>   
                  
            </FileDelete>  
        </RuleGroup>  
 ...  
   
     </EventFiltering>  
 </Sysmon>

    I haven't tested this explicitly but I'm pretty confident this will work since this is how I've designed my Sysmon config file(s).

    Also, if you need inspiration and ideas on rule writing have a look at these public rule files:

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. János Szigetvári 46 Reputation points
    2022-11-28T15:02:07.95+00:00

    Just for the record I am running Sysmon 14.12.

    0 comments