Condition "not begin with" is not working as expected

Joe Doe 156 Reputation points
2022-12-06T18:52:35.973+00:00

It seems that the condition "not begin with" is not working properly. My expectation is, that it filters every event out, which starts not with the given Path.

Example:

<RuleGroup name="Audit_All_ImageLoad" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoaded condition="not begin with">C:\Windows\System32\</ImageLoaded>
<ImageLoaded condition="not begin with">C:\Windows\SysWOW64\</ImageLoaded>
</ImageLoad>
</RuleGroup>

My expecation is, that I only see events (EID 7 in this case), where ImageLoaded path starts NOT with C:\Windows\System32\ or C:\Windows\SysWOW64. But instead I see all events. I get events with ImageLoaded path C:\Windows\System32\ and other paths (not starting with C:\Windows\System32).

The condition "begin with" is working is expected.

I've tested this with Sysmon 14.11, 14.12. and 14.13 on Windows 10, 2016, 2019 and 2022. 267941-eid7.xml
267829-eid7.xml

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments
Accepted answer
  1. Michael_N 961 Reputation points
    2022-12-08T14:39:00.837+00:00

    @Joe Doe , you want both your conditions to be true so you need to use a Rule, like this: 

    <ImageLoad onmatch="include">		  
    <Rule name="Abnormal DLLs" groupRelation="and">  
        <ImageLoaded condition="not begin with">C:\Windows\System32\</ImageLoaded>  
        <ImageLoaded condition="not begin with">C:\Windows\SysWOW64\</ImageLoaded>  
    </Rule>  
</ImageLoad>

    Otherwise, all events will match either one of your conditions with the end result that all images/DLLs are loaded.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest