Certain rule combinations seems to prevent logging of Sysmon events

Michael_N 961 Reputation points
2021-06-03T13:52:56.107+00:00

I'm trying to verify my Sysmon-configuration with small test cases inspired by Atomic Red Team.

When checking my test cases for Mshta (Mitre Att&ck T1218.005) I noticed that certain combinations of rules seems to prevent logging
of Sysmon events. In this case process creation events of mshta.exe and its "children" processes.

After hours of troubleshooting I've narrowed it down to two groups of rules that prevent either:

  • Logging of mshta.exe events of launching (4 rules with excludes any filters)
  • Logging of processes launched from mshta.exe (2 rules with Image and ParentImage combination)

Please see attached configuration files for full context. I've included two versions - one working just fine (so I know the syntax etc. is correct)
and one not working. In both files there is three baseline filters for creation and termination of mshta.exe and cmd.exe.
102138-mshta-test-working.xml
102143-mshta-test-not-working.xml

I tried to attach my test case files as a zip-file but it wasn't allowed. My test case file is a simple .bat file like this:

@Echo off

call :LAUNCH_TEST mshta.exe "%cd%\Files\launch_calc.hta"

call :LAUNCH_TEST mshta.exe vbscript:Close(Execute("GetObject(""script:%cd%\Files\launch_notepad.sct"")"))

pause
goto END

:LAUNCH_TEST

echo Launching test: %* ...
%* >NUL 2>&1

:END

The syntax for the .hta file is copied from here and the syntax for the .sct file is copied from here.
I then made minimal changes to the files.

Please note that your AV might by triggered one (or both?) of the files. My AV was triggered by the .sct-file.

Have anyone seen anything like this? Can someone confirm that they get the same result?
Is this a bug (I'm running Sysmon v13.20)?

I doing my testing on a Windows 10, 20H2-version.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,152 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alex Mihaiuc 721 Reputation points
    2021-06-17T12:24:10.59+00:00

    Hi, I expect this to be fixed in the upcoming Sysmon version - it should drop in a few days.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Michael_N 961 Reputation points
    2021-06-17T15:47:48.933+00:00

    That's excellent news @Alex Mihaiuc . Looking forward to a new release to try...

    0 comments No comments

  2. Michael_N 961 Reputation points
    2021-06-23T05:50:00.317+00:00

    Thank you @Alex Mihaiuc and the rest of the Sysinternals/Microsoft guys for the new Sysmon version (v13.22)!

    I have now verified that it fixes the scenario described above.

    P.S: I found one small mistake though, the version information says v13.21 (and not v13.22)...

    System Monitor v13.21 - System activity monitor
    Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
    Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
    Sysinternals - www.sysinternals.com

    Loading configuration file with schema version 4.40
    Sysmon schema version: 4.70
    Configuration file validated.
    Sysmon64 installed.
    SysmonDrv installed.
    Starting SysmonDrv.
    SysmonDrv started.
    Starting Sysmon64..
    Sysmon64 started.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.