Sysmon13.33

Question

Does sysmon suport wildcards, for instance:

Sysmon schemaversion="4.60">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<Rule groupRelation="and">
<SourceImage condition="end with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe</SourceImage>
<TargetImage condition="end with">C:\Windows\Explorer.EXE</TargetImage>
</Rule>
</ProcessAccess>
</RuleGroup>
</EventFiltering>
</Sysmon>

to write as:

Sysmon schemaversion="4.60">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<Rule groupRelation="and">
<SourceImage condition="end with">C:\Windows\Microsoft.NET\Framework\v*\NGenTask.exe</SourceImage>
<TargetImage condition="end with">C:\Windows\Explorer.EXE</TargetImage>
</Rule>
</ProcessAccess>
</RuleGroup>
</EventFiltering>
</Sysmon>

or else, for instance applications or documents under c:/user/?/

etc

thank you

Answer 1

I haven't verified but you should be able to do basically what you want using the begins with and ends with conditions. You can group multiple conditions for a single filter using and and or.

   <SourceImage condition="end with">\NGenTask.exe</SourceImage>  

That should filter out any process that isn't called ngentask which I would wager would only be the framework. However if you wanted to include the path then you probably could do something like this but I haven't tested it.

   <SourceImage condition="end with">\NGenTask.exe</SourceImage>  
   <SourceImage condition="begin with">C:\Windows\Microsoft.NET\Framework\v</SourceImage>  

Alternatively you might be able to get this to work with contains all.

   <SourceImage condition="contains all">C:\Windows\Microsoft.NET\Framework\v;\NGenTask.exe</SourceImage>  

The documentation is here so you can get a better idea of the options.

Answer 2

Thank you, it makes all sense now :)