Possible parser bugs in Sysmon v13.10?

Question

Possible parser bugs in Sysmon v13.10?

Michael_N 961

I've been testing the brand new Sysmon v13.10 the last couple of hours and found what I believe are possible
(parser?) bugs:

First, FileCreate rules generate events for seemingly unmatched files.

This rule:

<Rule name="Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access" groupRelation="and">
        <Image condition="image">chrome.exe</Image>
        <TargetFilename condition="end with">.bat</TargetFilename>
</Rule>

generate events such as:

File created:
RuleName: Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access
UtcTime: 2021-04-23 07:08:18.332
ProcessGuid: {952ebdeb-7208-6082-7c04-000000006b00}
ProcessId: 1112
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\<my_user_here>\AppData\Local\Google\Chrome\User Data\Local State~RF5588b88.TMP
CreationUtcTime: 2021-04-23 07:08:18.332

Note the .TMP file ending in the event and the .bat ending in the rule. It's also worth noting that this is the first FileCreate rule for Chrome in
my ruleset. I haven't confirmed it but my gut feeling tells my the rule some how matches ALL files creates by Chrome.

Second, I've found a similar problem with RegistryEvents.

Rules like this (with filtering on EventType to reduce the number of matches):

<Rule name="Technique_id=T1543.003,Sub_Technique_name=Windows Service,Technique_name=Create or Modify System Process,Tactic=Privilege Escalation/Persistence" groupRelation="and">
    <EventType condition="is">SetValue</EventType>
    <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject>
    <TargetObject condition="end with">\ImagePath</TargetObject>
</Rule>

now generate events on registry keys such as these:

TargetObject: HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\SigUpdateTimestampsSinceLastHB

TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Input\TypingInsights\Insights

TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings\SafeSearchMode

i.e. completely unrelated registry keys.
The matching rule is ALWAYS the first rule using the EventType filter and this rule changes to the next (first) if I comment it out.
And the amount of logged events are somewhat large.

Can someone please confirm? (Or deny ;-)

dstaulcu 351 Reputation points

2021-04-24T00:33:01.337+00:00

I am experiencing this as well across all event types. Seems like sysmon is interpreting rule statements in groupRelation sections as "OR" conditions when you specify "AND".

Otherwise, Sysmon seems to be honoring AND/OR condition types as expected for rule statements not in groupRelation sections.

I've passed this thread along to developers via the syssite email alias.
Michael_N 961 Reputation points

2021-04-26T14:30:50.383+00:00

@dstaulcu Thanks for your confirmation and for the escalation! Let's hope a fixed version is released soon!
dstaulcu 351 Reputation points

2021-04-26T14:45:35.727+00:00

No problem. Thanks to you as well. The product only gets better with effort on both sides (user and developer). I for one am hyper-focused on pathways to stabilize ruleGroup functionality.
Frânçois 21 Reputation points

2021-05-14T14:38:11.893+00:00

I am also being hammered by Image Load and Registry Events logs in v13.10. Logs are being generated by unmatched rules like you have pointed out.

Accepted answer

2 additional answers

Your answer

dstaulcu 351 Reputation points

2021-04-24T00:33:01.337+00:00

I am experiencing this as well across all event types. Seems like sysmon is interpreting rule statements in groupRelation sections as "OR" conditions when you specify "AND".

Otherwise, Sysmon seems to be honoring AND/OR condition types as expected for rule statements not in groupRelation sections.

I've passed this thread along to developers via the syssite email alias.
Michael_N 961 Reputation points

2021-04-26T14:30:50.383+00:00

@dstaulcu Thanks for your confirmation and for the escalation! Let's hope a fixed version is released soon!
dstaulcu 351 Reputation points

2021-04-26T14:45:35.727+00:00

No problem. Thanks to you as well. The product only gets better with effort on both sides (user and developer). I for one am hyper-focused on pathways to stabilize ruleGroup functionality.
Frânçois 21 Reputation points

2021-05-14T14:38:11.893+00:00

I am also being hammered by Image Load and Registry Events logs in v13.10. Logs are being generated by unmatched rules like you have pointed out.

Answer 1

Michael_N 961

If anyone is interested, this bug is fixed in Sysmon v13.20 released on May 25th.

Thanks to all Microsoft developers who continue to make an excellent product even better!

Answer 2

Alex Mihaiuc 726

Could you provide a little more context from the config? I'm interested in seeing the full event that encloses the quoted rules.

JL 141 Reputation points

2021-05-19T06:34:47.387+00:00

I have has similar issue where sysmon upgraded to 13.10 with same config shovelled Event ID12 with no particular reason:

https://github.com/olafhartong/sysmon-modular/issues/96

Answer 3

@Alex Mihaiuc I'm not really sure what you mean by "the full event"!? Here are some more context though:

<EventFiltering>   
  
    <!-- Other event types sorted in event id order -->  
  
    <RuleGroup name="FileCreate - Include" groupRelation="or">  
        <FileCreate onmatch="include">  
          
            <!-- Lots of filters based on TargetFilename only -->  
              
            <!-- This is the first FileCreate rule with Image filter -->  
            <Rule name="Technique_id=T1566,Sub_Technique_name=Executable file created by cmd.exe,Technique_name=Phishing,Tactic=Initial Access" groupRelation="and">  
                <Image condition="image">cmd.exe</Image>  
                <TargetFilename condition="end with">.bat</TargetFilename>  
            </Rule>  
              
            <!-- More rules in similar style -->  
              
        </FileCreate>  
    </RuleGroup>  
      
    <!-- Other event types sorted in event id order -->  
      
    <RuleGroup name="RegistryEvent - Include" groupRelation="or">  
        <RegistryEvent onmatch="include">  
          
            <!-- Lots of filters based on TargetObject only -->  
          
            <!-- This is the first RegistryEvent Rule with EventType filter -->  
            <Rule name="Technique_id=T1543.003,Sub_Technique_name=Windows Service,Technique_name=Create or Modify System Process,Tactic=Privilege Escalation/Persistence" groupRelation="and">  
                <EventType condition="is">SetValue</EventType>  
                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject>  
                <TargetObject condition="end with">\ImagePath</TargetObject>  
            </Rule>  
              
            <!-- More rules in similar style and filters based on TargetObject only -->  
              
        </RegistryEvent>  
    </RuleGroup>  
      
    <!-- Other event types sorted in event id order -->  
  
</EventFiltering>

Michael_N 961 Reputation points

2021-04-26T14:47:27.527+00:00

Also, the included rules above are not the first rules in the rule groups. They are how ever the first rules using other filters than TargetFilename and TargetObject respectively.

Share via

Possible parser bugs in Sysmon v13.10?

2 additional answers

Your answer