question

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 asked MichaelN-3711 answered

Use of OriginalFileName rules in Sysmon v13.02

I'm learning Sysmon and is doing some testing with v13.02 and can't get rules based on OriginalFileName to match.
This is my test config file:

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <OriginalFileName name="Original filename catch" condition="is">net.exe</OriginalFileName>
                 <Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set -->  
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>

The result is an event logged with the 'Default catch' RuleName even though the event contents shows that the OriginalFileName
is net.exe.

 Process Create:
 RuleName: Default catch
 UtcTime: 2021-04-15 14:53:08.216
 ProcessGuid: {952ebdeb-5354-6078-d205-000000006700}
 ProcessId: 2548
 Image: C:\Windows\System32\net.exe
 FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
 Description: Net Command
 Product: Microsoft® Windows® Operating System
 Company: Microsoft Corporation
 OriginalFileName: net.exe
 CommandLine: net  user
 <snip>

What am I missing? Or is this a bug?

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

Ah, I found a work around that works and only is a tiny bit cumbersome - add a filter with a very low 'precedence'
to the default case. (You can find out the schema precedence by dumping the schema with "sysmon[64].exe -s".)
Here is the final working test case:

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <OriginalFileName name="Original filename catch"  condition="is">net.exe</OriginalFileName>
                 <Rule name="Default catch" groupRelation="and">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                     <ParentCommandLine condition="is not">bogus_value</ParentCommandLine>
                 </Rule> 
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set -->  
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

Continued research led me to TrustedSec's Sysmon Community Guide which (partly) told me
the answer. On page 18 in the v1.2 version of the PDF you find:

Rules are processed in the order they are placed in the configuration file. This is important
because once a Rule matches and the information for that EventType is included in the Windows
EventLog, no other rule will be processed against that action. Filters that are not in a Rule
element will be processed in the order that they appear in the schema. This also applies to
multiple filters inside a Rule where the schema order is used.

So the problem is that Image rules has higher "precedence" than OriginalFileName rules.

The problem is though that enclosing the filters in rule tags, as suggested above, doesn't work
either. The config file below gives you the same result, i.e. a 'Default catch' event. :-(

 <Sysmon schemaversion="4.50">
     <EventFiltering> 
    
         <RuleGroup name="ProcessCreate - Include" groupRelation="or">
             <ProcessCreate onmatch="include">
                 <Rule name="Original filename catch" groupRelation="and">
                     <OriginalFileName condition="is">net.exe</OriginalFileName>
                 </Rule> 
                 <Rule name="Default catch" groupRelation="and">
                     <Image condition="is">C:\Windows\System32\net.exe</Image>
                 </Rule> 
             </ProcessCreate>
         </RuleGroup>
            
         <RuleGroup name="ProcessTerminate - Include" groupRelation="or">
             <ProcessTerminate onmatch="include">
                 <!-- Empty rule set -->  
             </ProcessTerminate>
         </RuleGroup>
    
     </EventFiltering>
 </Sysmon>






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.