none
Sysmon 11.11 rules dysfunction RRS feed

  • Question

  • hello,

    I'm trying to have a set of sysmon rules to alert when something is accessing another process memory, especially if it is done from a process running in tmp

    I don't want to have tons of logs on every processes when procexp is running though (because when you start procexp on a x64 box it will launch procexp64 from the tmp folder which will access every other process memory). For this case my idea is just to generate a log when dbgcore is in the calltrace (which means the user did right-click on a process then choose generate minidump or dump).

    For this purpose I did this config file:

    <Sysmon schemaversion="4.30"><HashAlgorithms>*</HashAlgorithms> <CheckRevocation></CheckRevocation><DnsLookup>False</DnsLookup> <ArchiveDirectory>Sysmon</ArchiveDirectory><EventFiltering>      <RuleGroup groupRelation="or" name="">                <ProcessAccess onmatch="include"><GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x0800</GrantedAccess>          <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess>          <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess>          <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x800</GrantedAccess>          <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x810</GrantedAccess>          <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess>       <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x21410</GrantedAccess>                <Rule groupRelation="and">          <CallTrace condition="contains" name="technique_id=T1059.001,technique_name=PowerShell">System.Management.Automation.ni.dll</CallTrace>          <SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>        </Rule>      <Rule groupRelation="and">          <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\csrss.exe</TargetImage>             <GrantedAccess>0x1F1FFF</GrantedAccess>         </Rule>         <Rule groupRelation="and">                   <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\wininit.exe</TargetImage>             <GrantedAccess>0x1F1FFF</GrantedAccess>         </Rule>                     <Rule groupRelation="and">                   <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\winlogon.exe</TargetImage>             <GrantedAccess>0x1F1FFF</GrantedAccess>         </Rule>                     <Rule groupRelation="and">                   <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\services.exe</TargetImage>             <GrantedAccess>0x1F1FFF</GrantedAccess>                                       </Rule>                        <Rule groupRelation="and" name="technique_id=1055,technique_name=Process Injection">            <SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>            <CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>        </Rule>      <TargetImage condition="contains">Desktop</TargetImage>         <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\PerfLogs\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\$Recycle.bin\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Intel\Logs\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Users\Default\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Users\Public\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Users\NetworkService\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\Fonts\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\Debug\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\Media\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\Help\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\addins\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\repair\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\security\</SourceImage>          <SourceImage condition="begin with" name="technique_id=T1036,technique_name=Masquerading">C:\Windows\system32\config\systemprofile\</SourceImage>          <SourceImage condition="contains" name="technique_id=T1036,technique_name=Masquerading">VolumeShadowCopy</SourceImage>          <SourceImage condition="contains" name="technique_id=T1036,technique_name=Masquerading">\htdocs\</SourceImage>          <SourceImage condition="contains" name="technique_id=T1036,technique_name=Masquerading">\wwwroot\</SourceImage>          <SourceImage condition="contains" name="technique_id=T1036,technique_name=Masquerading">\Temp\</SourceImage>               <Rule groupRelation="and">          <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\lsass.exe</TargetImage>             <GrantedAccess>0x1FFFFF</GrantedAccess>         </Rule>          <Rule groupRelation="and">          <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\lsass.exe</TargetImage>             <GrantedAccess>0x1F1FFF</GrantedAccess>         </Rule>                   <Rule groupRelation="and">          <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\lsass.exe</TargetImage>             <GrantedAccess>0x1010</GrantedAccess>         </Rule>                   <Rule groupRelation="and">          <TargetImage condition="is" name="technique_id=T1003,technique_name=Credential Dumping">C:\Windows\system32\lsass.exe</TargetImage>             <GrantedAccess>0x143A</GrantedAccess>         </Rule>                <CallTrace condition="contains" name="technique_id=T1003,technique_name=Credential Dumping">dbghelp.dll</CallTrace>          <CallTrace condition="contains" name="technique_id=T1003,technique_name=Credential Dumping">dbgcore.dll</CallTrace>      </ProcessAccess>    </RuleGroup><RuleGroup groupRelation="or"><ProcessAccess onmatch="exclude">          <SourceImage condition="is">C:\Program Files\Splunk\bin\splunkd.exe</SourceImage>      <SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage>      <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>      <SourceImage condition="is">C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe</SourceImage>      <SourceImage condition="is">C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe</SourceImage>      <SourceImage condition="is">C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe</SourceImage>      <SourceImage condition="contains all">C:\Program Files\Cisco\AMP\;sfc.exe</SourceImage>   <SourceImage condition="is">C:\Program Files\Microsoft Security Client\MsMpEng.exe</SourceImage>    <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>      <SourceImage condition="is">C:\WINDOWS\CCM\CcmExec.exe</SourceImage>      <SourceImage condition="is">C:\Program Files\WinZip\FAHWindow64.exe</SourceImage>      <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>    <SourceImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe</SourceImage>            <SourceImage condition="is">C:\Program Files\Ivanti\Workspace Control\cpushld.exe</SourceImage>    <SourceImage condition="is">C:\Program Files\RES Software\Workspace Manager\cpushld.exe</SourceImage>      <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>      <SourceImage condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</SourceImage>        <SourceImage condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</SourceImage>      <SourceImage condition="end with">wmiprvse.exe</SourceImage>      <SourceImage condition="end with">GoogleUpdate.exe</SourceImage>      <SourceImage condition="end with">LTSVC.exe</SourceImage>      <SourceImage condition="end with">taskmgr.exe</SourceImage>      <SourceImage condition="end with">VBoxService.exe</SourceImage>       <SourceImage condition="end with">vmtoolsd.exe</SourceImage>       <SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage>       <SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage>       <SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage>       <SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage>     <GrantedAccess>0x1000</GrantedAccess>     <GrantedAccess>0x1400</GrantedAccess>     <GrantedAccess>0x101400</GrantedAccess>     <GrantedAccess>0x101000</GrantedAccess>               <Rule groupRelation="and" name="technique_id=T1003,technique_name=Credential Dumping">                <SourceImage condition="end with">procexp64.exe</SourceImage>            <SourceImage condition="end with">procexp.exe</SourceImage>                <CallTrace condition="excludes">dbgcore.dll</CallTrace>        </Rule>      </ProcessAccess></RuleGroup>          </EventFiltering>  </Sysmon>

    however sysmon takes it when I do -c but then won't start (service stay in "start pending"). I experienced strange behaviour when procexp is running.

    What's wrong? Thanks for your help


    • Edited by emiliedns Thursday, July 16, 2020 3:26 PM
    Thursday, July 16, 2020 3:21 PM

All replies

  • Interesting. I just tried your configuration file and both Sysmon -c and Sysmon -i worked correctly.

    Are you only seeing this when updating via Sysmon -c or do you see it when you run Sysmon -i too?

    Also could you tell me what operating system you are using?

    Finally if the Sysmon process is in stalled state would it be possible to collect a memory dump of the Sysmon processs (either from Task Manager or Process Explorer since the latter is already running)? If so could you contact me offline at syssite@microsoft.com so that I can arrange to collect it from you.

    MarkC(MSFT)

    Monday, July 20, 2020 7:17 AM