Hi, I expect this to be fixed in the upcoming Sysmon version - it should drop in a few days.
Certain rule combinations seems to prevent logging of Sysmon events
I'm trying to verify my Sysmon-configuration with small test cases inspired by Atomic Red Team.
When checking my test cases for Mshta (Mitre Att&ck T1218.005) I noticed that certain combinations of rules seems to prevent logging
of Sysmon events. In this case process creation events of mshta.exe and its "children" processes.
After hours of troubleshooting I've narrowed it down to two groups of rules that prevent either:
- Logging of mshta.exe events of launching (4 rules with excludes any filters)
- Logging of processes launched from mshta.exe (2 rules with Image and ParentImage combination)
Please see attached configuration files for full context. I've included two versions - one working just fine (so I know the syntax etc. is correct)
and one not working. In both files there is three baseline filters for creation and termination of mshta.exe and cmd.exe.
102138-mshta-test-working.xml
102143-mshta-test-not-working.xml
I tried to attach my test case files as a zip-file but it wasn't allowed. My test case file is a simple .bat file like this:
@Echo off
call :LAUNCH_TEST mshta.exe "%cd%\Files\launch_calc.hta"
call :LAUNCH_TEST mshta.exe vbscript:Close(Execute("GetObject(""script:%cd%\Files\launch_notepad.sct"")"))
pause
goto END:LAUNCH_TEST
echo Launching test: %* ...
%* >NUL 2>&1:END
The syntax for the .hta file is copied from here and the syntax for the .sct file is copied from here.
I then made minimal changes to the files.
Please note that your AV might by triggered one (or both?) of the files. My AV was triggered by the .sct-file.
Have anyone seen anything like this? Can someone confirm that they get the same result?
Is this a bug (I'm running Sysmon v13.20)?
I doing my testing on a Windows 10, 20H2-version.
2 additional answers
Sort by: Most helpful
-
Michael_N 961 Reputation points
2021-06-17T15:47:48.933+00:00 That's excellent news @Alex Mihaiuc . Looking forward to a new release to try...
-
Michael_N 961 Reputation points
2021-06-23T05:50:00.317+00:00 Thank you @Alex Mihaiuc and the rest of the Sysinternals/Microsoft guys for the new Sysmon version (v13.22)!
I have now verified that it fixes the scenario described above.
P.S: I found one small mistake though, the version information says v13.21 (and not v13.22)...
System Monitor v13.21 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.comLoading configuration file with schema version 4.40
Sysmon schema version: 4.70
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.