none
Sysmon 10.0.4.2 Excludes, Excludes Any, Excludes All in an Include RuleGroup not working RRS feed

  • Question

  • In Sysmon 10.0.4.2 ive been having issues applying some of the filtering within my configuration file. Within ImageLoad (onmatch="include") i have the following rule

    <Rule name="MitreRef=T1047,Technique=Windows Management Instrumentation" groupRelation="and">
    <ImageLoaded condition="contains any">wmiclnt.dll;WmiApRpl.dll;wmiprov.dll;wmiutils.dll;wbemcomn.dll;wbemprox.dll;WMINet_Utils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
    <Image condition="excludes any">C:\Windows\System32\wbem\WmiPrvSE.exe;C:\windows\system32\svchost.exe;C:\Windows\System32\wbem\WmiAPsrv.exe</Image>
    </Rule>

    In theory (from what i understand) this should include events for those dlls unless the Image assoicated with that ImageLoad event is any of the 3 images...however...this is not working.

    Am i wrong in how i am implementing the excludes any filter option within a include rulegroup?

    Saturday, May 9, 2020 12:39 AM

All replies

  • Did you already tried version 11.0??

    In any case, when you have doubt like yours, try reading the SYsmon Community Guide:
    https://github.com/trustedsec/SysmonCommunityGuide

    You should easily find your answer..

    HTH
    -mario

    Sunday, May 10, 2020 8:27 AM
  • Hi Michael

    I think this should work as you suggested. Is the failure that you are seeing DLL loads for one of the three images (svchost, wmiprvse or wmiapsrv). Or are you not seeing DLL loads for other processes ??

    Also could you contact me offline at syssite@microsoft.com and let me have a copy of you full configuration file ?

    MarkC(MSFT)

    Monday, May 11, 2020 1:10 PM
  • I was still seeing DLL loads for wmiprvse. Oddly enough it has stopped :/ BTW - any timeline on updating V11 so its compatible with older OS's? I heard there was a bug as a result of fixing the WEF issue.
    Monday, May 11, 2020 7:21 PM
  • The problem is also DLL loads are logged for other processes other than the process that is set to exclude in the "include" rulegroup.

    <RuleGroup name="" groupRelation="or">
    <ImageLoad onmatch="include">

    <Rule name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Description=Mimikatz:Logonpasswords Associated DLL" groupRelation="and">
    <ImageLoaded condition="contains any">WinSCard.dll;cryptdll.dll;hid.dll;samlib.dll;vaultcli.dll,wlanapi.dll</ImageLoaded>
    <Image condition="excludes">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
    </Rule>

    </ImageLoad>

    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <ImageLoad onmatch="exclude">

    <Rule name="Exclude Browsers" groupRelation="or">
    <Image condition="end with">chrome.exe</Image>
    <Image condition="end with">iexplore.exe</Image>
    <Image condition="end with">firefox.exe</Image>
    </Rule>

    </ImageLoad>

    </RuleGroup>

    I end up having events (eventcode 7) for Chrome.exe loading DLLs not even monitored by that rule. See log examples below.

    Image loaded:
    RuleName: MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Description=Mimikatz:Logonpasswords Associated DLL
    UtcTime: 2020-05-12 18:14:43.526
    ProcessGuid: {b04b0554-e790-5eba-0100-0010699f068e}
    ProcessId: 48752
    Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    ImageLoaded: C:\Windows\SysWOW64\msasn1.dll
    FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
    Description: ASN.1 Runtime APIs
    Product: Microsoft® Windows® Operating System
    Company: Microsoft Corporation
    OriginalFileName: msasn1.dll
    Hashes: MD5=F26BBD782A1CDAE50E9D0752EBC85CD7,SHA256=ABCF26EEBE07BA6D333B83A3FC136DFC1FFC1E27DAACA447DBD516D09142BF5E,IMPHASH=8B673B4F1EC3D14944616415C3421550
    Signed: true
    Signature: Microsoft Windows
    SignatureStatus: Valid

    Image loaded:
    RuleName: MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Description=Mimikatz:Logonpasswords Associated DLL
    UtcTime: 2020-05-12 18:14:43.559
    ProcessGuid: {b04b0554-e790-5eba-0100-0010699f068e}
    ProcessId: 48752
    Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    ImageLoaded: C:\Windows\SysWOW64\winspool.drv
    FileVersion: 10.0.17763.1075 (WinBuild.160101.0800)
    Description: Windows Spooler Driver
    Product: Microsoft® Windows® Operating System
    Company: Microsoft Corporation
    OriginalFileName: winspool.drv
    Hashes: MD5=90EB4C6AB42420BA9223231BB8B2D693,SHA256=0BA30DE64B35B31506EF9EEB775D3629D3996DB18028B0DCCDEF3D9797EEBB86,IMPHASH=2596B76E17706A9124B6EFDF2B2D5A34
    Signed: true
    Signature: Microsoft Windows
    SignatureStatus: Valid


    Tuesday, May 12, 2020 6:46 PM