Filter Sysmon EventCode7 (ImageLoad) not working ?

Niklas Sjögren 41 Reputation points
2021-02-16T16:02:39.727+00:00

Hi !

I am trying to use a "sub group" exclude filter for ImageLoad but it seems like that does not work !?

A singel exclude line like:

<Image condition="is">C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe</Image> - Works fine

But if I add:

<Rule groupRelation="and">
<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
<ImageLoaded condition="begin with">C:\Windows\System32\</ImageLoaded>
</Rule>

It seems to be ignored

Rule groups like thos works fine for all the other events.
Is it not supported in ImageLoad !? or am I doing something wrong here..?

Running Sysmon v.13.01

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,115 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Alex Mihaiuc 721 Reputation points
    2021-03-24T15:42:44.897+00:00

    Working on a fix for this one - I think it will be out in 13.03 which should come out soon enough (13.02 was out yesterday and doesn't have this fix).

    1 person found this answer helpful.

  2. Dave McCormack 11 Reputation points
    2021-02-18T00:22:53.39+00:00

    Are you specifying your schemaVersion at the top? It defaults to assuming an older schema where what you're doing may not be supported. At the top of my config for Sysmon 13.01 I have:

    <Sysmon schemaversion="4.50">

    0 comments No comments

  3. Niklas Sjögren 41 Reputation points
    2021-02-19T07:13:01.53+00:00

    Hi!
    Yes, I have the same schemaversion at the top of my config..

    <Sysmon schemaversion="4.50">