question

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 asked MichaelN-3711 commented

Use of CommandLine rules in Sysmon v13.02

I'm doing some testing with Sysmon version 13.02 and can't get some rules based on CommandLine to match.
The is my test config file:

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <CommandLine name="Net user contains" condition="contains">net user</CommandLine>
                 <CommandLine name="Net user begin with" condition="begin with">net user</CommandLine>
                 <Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set -->  
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>

Running 'net user' from the command prompt only yields an event with 'Default catch' as the RuleName.
Neither of the CommandLine rules matches!
What am I doing wrong? Or is this a bug?

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

I managed to get a working solution that works in this limited test scenario.
You need to explicitly exclude the known cases in the default rule as in the example below:

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <Rule groupRelation="and" name="Net with user parameter">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="contains"> user</CommandLine>
                 </Rule> 
                 <Rule groupRelation="and" name="Net with use parameter">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="contains"> use</CommandLine>
                 </Rule> 
                 <Rule groupRelation="and" name="Net with session parameter">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="contains"> session</CommandLine>
                 </Rule>
                 <Rule groupRelation="and" name="Default net case">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="excludes any"> user; use; session</CommandLine>
                 </Rule> 
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set --> 
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>

The problem is that my real world config file is much more complicated than this...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dstaulcu avatar image
0 Votes"
dstaulcu answered dstaulcu edited

I ran process create without any filters to see what things would look like. Turns out the CommandLine field does not have a full path to the image with calls to net1.exe OR net.exe.

88206-image.png

With that in mind, constructing a rule group based both on Image and CommandLine filters does the trick for me:

<RuleGroup name="ProcessCreate - Include" groupRelation="and">
<ProcessCreate onmatch="include">
<Image name="" condition="contains any">net.exe;net1.exe</Image>
<CommandLine name="" condition="contains"> use</CommandLine>
</ProcessCreate>
</RuleGroup>



image.png (38.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered MichaelN-3711 commented

Thanks for your suggestion @dstaulcu but that isn't really what I want. I want to have a number of specific rules
(e.g. commands launched with specific parameters) high up in my configuration file followed by a more
general rule at the bottom of the config file. And all rules are interesting outcomes/matches for me.

I've tried to rewrite my test config file to more closely follow your example but the end result is the same,
i.e. the event is logged with the 'Default catch' rulename.

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <Rule groupRelation="and" name="Net with user parameter">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="contains"> user</CommandLine>
                 </Rule> 
                 <Rule groupRelation="and" name="Net with session parameter">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <CommandLine condition="contains"> session</CommandLine>
                 </Rule>
                 <Rule groupRelation="and" name="Default catch">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                 </Rule> 
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set -->  
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

interesting approach. i would not have thought to try to achieve that via sysmon config. instead i would have applied such logic in post processing tools like powershell or siem. good luck!

0 Votes 0 ·

Yes well, Sysmon's capabilities is amazing and to code similar functionality myself is both hard and time-consuming... :-)

0 Votes 0 ·