Use of OriginalFileName rules in Sysmon v13.02

Michael_N 961 Reputation points
2021-04-15T15:00:44.01+00:00

I'm learning Sysmon and is doing some testing with v13.02 and can't get rules based on OriginalFileName to match.
This is my test config file:

<Sysmon schemaversion="4.50">
    <EventFiltering> 

        <RuleGroup name="ProcessCreate - Include" groupRelation="or">
            <ProcessCreate onmatch="include">
                <OriginalFileName name="Original filename catch" condition="is">net.exe</OriginalFileName>
                <Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
            </ProcessCreate>
        </RuleGroup>

        <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
            <ProcessTerminate onmatch="include">
                <!-- Empty rule set -->  
            </ProcessTerminate>
        </RuleGroup>

    </EventFiltering>
</Sysmon>

The result is an event logged with the 'Default catch' RuleName even though the event contents shows that the OriginalFileName
is net.exe.

Process Create:
RuleName: Default catch
UtcTime: 2021-04-15 14:53:08.216
ProcessGuid: {952ebdeb-5354-6078-d205-000000006700}
ProcessId: 2548
Image: C:\Windows\System32\net.exe
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net  user
<snip>

What am I missing? Or is this a bug?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,075 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael_N 961 Reputation points
    2021-04-16T07:09:24.227+00:00

    Ah, I found a work around that works and only is a tiny bit cumbersome - add a filter with a very low 'precedence'
    to the default case. (You can find out the schema precedence by dumping the schema with "sysmon[64].exe -s".)
    Here is the final working test case:

    <Sysmon schemaversion="4.50">
        <EventFiltering> 
    
            <RuleGroup name="ProcessCreate - Include" groupRelation="or">
                <ProcessCreate onmatch="include">
                    <OriginalFileName name="Original filename catch"  condition="is">net.exe</OriginalFileName>
                    <Rule name="Default catch" groupRelation="and">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                        <ParentCommandLine condition="is not">bogus_value</ParentCommandLine>
                    </Rule> 
                </ProcessCreate>
            </RuleGroup>
    
            <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
                <ProcessTerminate onmatch="include">
                    <!-- Empty rule set -->  
                </ProcessTerminate>
            </RuleGroup>
    
        </EventFiltering>
    </Sysmon>
    
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Michael_N 961 Reputation points
    2021-04-16T06:30:26.39+00:00

    Continued research led me to TrustedSec's Sysmon Community Guide which (partly) told me
    the answer. On page 18 in the v1.2 version of the PDF you find:

    Rules are processed in the order they are placed in the configuration file. This is important
    because once a Rule matches and the information for that EventType is included in the Windows
    EventLog, no other rule will be processed against that action. Filters that are not in a Rule
    element will be processed in the order that they appear in the schema. This also applies to
    multiple filters inside a Rule where the schema order is used.

    So the problem is that Image rules has higher "precedence" than OriginalFileName rules.

    The problem is though that enclosing the filters in rule tags, as suggested above, doesn't work
    either. The config file below gives you the same result, i.e. a 'Default catch' event. :-(

    <Sysmon schemaversion="4.50">
        <EventFiltering> 
    
            <RuleGroup name="ProcessCreate - Include" groupRelation="or">
                <ProcessCreate onmatch="include">
                    <Rule name="Original filename catch" groupRelation="and">
                        <OriginalFileName condition="is">net.exe</OriginalFileName>
                    </Rule> 
                    <Rule name="Default catch" groupRelation="and">
                        <Image condition="is">C:\Windows\System32\net.exe</Image>
                    </Rule> 
                </ProcessCreate>
            </RuleGroup>
    
            <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
                <ProcessTerminate onmatch="include">
                    <!-- Empty rule set -->  
                </ProcessTerminate>
            </RuleGroup>
    
        </EventFiltering>
    </Sysmon>
    
    0 comments No comments