Sysmon 13.20 breaks filtering that worked in 13.10 causing huge surge in event volume

Dave McCormack 11

In Sysmon 13.10, the attached sysmon config filters ImageLoaded events so that KnownDlls are not reported. With Sysmon 13.20, all these events are appearing in the trace.100032-temp.xml

1 answer

dstaulcu 351 Reputation points

2021-05-27T00:56:28.287+00:00

Looks like you may have encountered a new limit in the length of a configuration value as part of your ImageLoaded is any conditions.

When I merged your config and then inspected output of sysmon -c the values were truncated to 'C:\Win'

I did some boundary testing and it looks like truncation starts with the 128th character.

It's possible this is a display limit and not an actual configuration limit. If not limited to display this would explain the increase in logging due to your exclude based configuration strategy.

Update:

You could likely work within limits by employing the "contains any" filter condition instead of "is any". If you still want to differentiate between 32 bit and 64 bit you could add an additional ImageLoaded "begin with" condition for each rule group. With this situation in mind it would be cool if there was an "images" filter condition.
Please sign in to rate this answer.
Dave McCormack 11 Reputation points

2021-05-27T12:10:16.25+00:00

Thanks. My preference for "is any" over "contains any" is based on performance considerations, but perhaps that is a micro-optimisation I can live without.

I imagine I won't be the only person to be affected by this. It's quite a nasty defect because it's not immediately obvious that anything is wrong. It was only when I noticed a huge increase in my event volumes that I got suspicious.

dstaulcu 351 Reputation points

2021-05-27T12:58:37.1+00:00

Good idea!
I imagine you are indeed not the only one affected.
That said, looks like the longest length of a value in popular and public Swift and Olaf configs is 121 chars.

Dave McCormack 11 Reputation points

2021-05-27T15:13:58.96+00:00

I reworked the ImageLoad filter as shown in the attached. This gets around the apparent defect in 13.20.

In case anyone is wondering, my actual Sysmon configuration file is a lot more complicated than shown here. I've stripped out stuff relating to other event types and also stuff relating to filtering out our own products.100334-temp.xml

Michael_N 961 Reputation points

2021-06-01T11:28:30.887+00:00

A very neat idea @Dave McCormack .

Have your verified the config?

As I read the config, as long as at least one expression is true the giant OR-clause is also true. That ought to mean that as long as the image is signed (<Signed condition="is">true</Signed>) for example, the event isn't logged. Or am I reading the configuration wrong...?

The giant rule can't be a large AND-clause since the Image (name) can't be all the DLL:s at once...!?

Dave McCormack 11 Reputation points

2021-06-01T12:00:02.827+00:00

The doco says that dissimilar criteria (ImageLoaded, Signed, Signature, SignatureStatus) are ANDed and then similar criteria (all the ImageLoaded) are ORed.

So in this case, the rule will exclude the event if the Signed, Signature, and SignatureStatus are all true and if one of the ImageLoaded is true.

This is working correctly for me.

Michael_N 961 Reputation points

2021-06-01T12:46:19.223+00:00

Ah, thanks for the clarification.

dstaulcu 351 Reputation points

2021-06-03T01:25:05.75+00:00

I did not realize that subtlety existed. Thanks for sharing!
Sign in to comment