Use of CommandLine rules in Sysmon v13.02

Michael_N 961 Reputation points
2021-04-15T12:06:35.64+00:00

I'm doing some testing with Sysmon version 13.02 and can't get some rules based on CommandLine to match.
The is my test config file:

<Sysmon schemaversion="4.50">
    <EventFiltering> 

        <RuleGroup name="ProcessCreate - Include" groupRelation="or">
            <ProcessCreate onmatch="include">
                <CommandLine name="Net user contains" condition="contains">net user</CommandLine>
                <CommandLine name="Net user begin with" condition="begin with">net user</CommandLine>
                <Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
            </ProcessCreate>
        </RuleGroup>

        <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
            <ProcessTerminate onmatch="include">
                <!-- Empty rule set -->  
            </ProcessTerminate>
        </RuleGroup>

    </EventFiltering>
</Sysmon>

Running 'net user' from the command prompt only yields an event with 'Default catch' as the RuleName.
Neither of the CommandLine rules matches!
What am I doing wrong? Or is this a bug?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,075 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael_N 961 Reputation points
    2021-04-16T06:11:11.727+00:00

    I managed to get a working solution that works in this limited test scenario.
    You need to explicitly exclude the known cases in the default rule as in the example below:

    <Sysmon schemaversion="4.50">
        <EventFiltering> 
    
            <RuleGroup name="ProcessCreate - Include" groupRelation="or">
                <ProcessCreate onmatch="include">
                    <Rule groupRelation="and" name="Net with user parameter">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                        <CommandLine condition="contains"> user</CommandLine>
                    </Rule> 
                    <Rule groupRelation="and" name="Net with use parameter">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                        <CommandLine condition="contains"> use</CommandLine>
                    </Rule> 
                    <Rule groupRelation="and" name="Net with session parameter">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                        <CommandLine condition="contains"> session</CommandLine>
                    </Rule>
                    <Rule groupRelation="and" name="Default net case">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                        <CommandLine condition="excludes any"> user; use; session</CommandLine>
                    </Rule> 
                </ProcessCreate>
            </RuleGroup>
    
            <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
                <ProcessTerminate onmatch="include">
                    <!-- Empty rule set --> 
                </ProcessTerminate>
            </RuleGroup>
    
        </EventFiltering>
    </Sysmon>
    

    The problem is that my real world config file is much more complicated than this...

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. dstaulcu 351 Reputation points
    2021-04-15T12:59:40.943+00:00

    I ran process create without any filters to see what things would look like. Turns out the CommandLine field does not have a full path to the image with calls to net1.exe OR net.exe.

    88206-image.png

    With that in mind, constructing a rule group based both on Image and CommandLine filters does the trick for me:

    <RuleGroup name="ProcessCreate - Include" groupRelation="and">
    <ProcessCreate onmatch="include">
    <Image name="" condition="contains any">net.exe;net1.exe</Image>
    <CommandLine name="" condition="contains"> use</CommandLine>
    </ProcessCreate>
    </RuleGroup>

    0 comments No comments

  2. Michael_N 961 Reputation points
    2021-04-15T14:34:44.923+00:00

    Thanks for your suggestion @dstaulcu but that isn't really what I want. I want to have a number of specific rules
    (e.g. commands launched with specific parameters) high up in my configuration file followed by a more
    general rule at the bottom of the config file. And all rules are interesting outcomes/matches for me.

    I've tried to rewrite my test config file to more closely follow your example but the end result is the same,
    i.e. the event is logged with the 'Default catch' rulename.

    <Sysmon schemaversion="4.50">  
        <EventFiltering>   
      
            <RuleGroup name="ProcessCreate - Include" groupRelation="or">  
                <ProcessCreate onmatch="include">  
                    <Rule groupRelation="and" name="Net with user parameter">  
                        <Image condition="is">C:\Windows\System32\net.exe</Image>  
                        <CommandLine condition="contains"> user</CommandLine>  
                    </Rule>   
                    <Rule groupRelation="and" name="Net with session parameter">  
                        <Image condition="is">C:\Windows\System32\net.exe</Image>  
                        <CommandLine condition="contains"> session</CommandLine>  
                    </Rule>  
                    <Rule groupRelation="and" name="Default catch">  
                        <Image condition="is">C:\Windows\System32\net.exe</Image>  
                    </Rule>   
                </ProcessCreate>  
            </RuleGroup>  
              
            <RuleGroup name="ProcessTerminate - Include" groupRelation="or">  
                <ProcessTerminate onmatch="include">  
                    <!-- Empty rule set -->    
                </ProcessTerminate>  
            </RuleGroup>  
      
        </EventFiltering>  
    </Sysmon>