sysmon bug? groupRelation and "Details"

McGahan, Timothy@CIO 86 Reputation points
2021-06-24T16:21:27.887+00:00

ReigstryEvent doesn't like my rule groups apparently... 

<Sysmon schemaversion="4.70">  
   <EventFiltering>  
 <RuleGroup name="" groupRelation="or">  
      <RegistryEvent onmatch="include">  
          <Rule groupRelation="and">  
              <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>   
              <Details name="" condition="contains">\Downloads\</Details>   
          </Rule>  
          <Rule groupRelation="and">  
              <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>  
              <Details name="" condition="contains">\Temporary Internet Files\Content.Outlook\</Details>   
          </Rule>  
          <Rule groupRelation="and">  
              <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>   
              <Details name="" condition="contains">\Local Settings\Temporary Internet Files\</Details>   
          </Rule>  
      </RegistryEvent>  
</RuleGroup>  
</EventFiltering>  
</Sysmon>

I keep getting an "System activity monitor has stopped working. A problem caused the program to stop working correctly. Please close the program."

109100-image.png

However, if I remove the last two rules, the conf will load. 

<Sysmon schemaversion="4.70">  
   <EventFiltering>  
 <RuleGroup name="" groupRelation="or">  
      <RegistryEvent onmatch="include">  
          <Rule groupRelation="and">  
              <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>   
              <Details name="" condition="contains">\Downloads\</Details>   
          </Rule>  
      </RegistryEvent>  
</RuleGroup>  
</EventFiltering>  
</Sysmon>

So, it's just the last two rules that are a problem. 

  <Rule groupRelation="and">  
      <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>  
      <Details name="" condition="contains">\Temporary Internet Files\Content.Outlook\</Details>   
  </Rule>  
  <Rule groupRelation="and">  
      <TargetObject name="" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</TargetObject>   
      <Details name="" condition="contains">\Local Settings\Temporary Internet Files\</Details>   
  </Rule>

Wondering if it has something to do with "Details" again.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,095 questions
Accepted answer
  1. Michael_N 961 Reputation points
    2021-06-25T08:48:46.437+00:00

    @McGahan, Timothy@CIO , I can confirm your analysis to some extent.

    First, trying your top config file above (with 3 rules) I don't get a application crash but the parsing of the config file doesn't seem to "finish":

    D:\Documents\Sysmon_Work_Area>sysmon64.exe -c details_test.xml

    System Monitor v13.22 - System activity monitor
    Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
    Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
    Sysinternals - www.sysinternals.com

    Loading configuration file with schema version 4.70

    D:\Documents\Sysmon_Work_Area>

    compared to the normal result after changing configuration (with missing lines bolded):

    System Monitor v13.22 - System activity monitor
    Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
    Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
    Sysinternals - www.sysinternals.com

    Loading configuration file with schema version 4.70
    Configuration file validated.
    Configuration updated.

    Second, doing my own testing I've noticed that single registry rules with the details filter seems to work just fine.
    However, if you add more rules it seems like only the first (i.e. top most) one can produce events in the log.
    The rules work separately, but "combined" in the config file only the top most one match and results in output.

    Can anyone else confirm?

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. McGahan, Timothy@CIO 86 Reputation points
    2021-06-24T17:07:56.483+00:00

    This also worked with no problem:

    <Sysmon schemaversion="4.70">
   <EventFiltering>
 <RuleGroup name="" groupRelation="or">
      <RegistryEvent onmatch="include">
            <Rule groupRelation="and">
                <TargetObject name="" condition="end with">\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject> 
                <Details name="" condition="contains any">\Temp\;\ProgramData\;\AppData\;\Public\;\Default\</Details> 
            </Rule>
      </RegistryEvent>
</RuleGroup>
</EventFiltering>
</Sysmon>
    0 comments
  2. McGahan, Timothy@CIO 86 Reputation points
    2021-07-29T18:31:47.31+00:00

    I just tested this bug again v13.23 and it seems that it's fixed! No error!