none
No event 1 in powershell "live" commands execution RRS feed

  • Question

  • Hi:

    I have this sysmon configuration

    ```

    <Sysmon schemaversion="4.22">

        <HashAlgorithms>md5,sha256</HashAlgorithms>
        <CheckRevocation/>
        
        <EventFiltering>
            <RuleGroup name="" groupRelation="or">    
                <!-- Event ID 1 == Process Creation. -->
                <ProcessCreate onmatch="exclude">
                </ProcessCreate>
            </RuleGroup>    
        </EventFiltering>
    </Sysmon>

    ```

    What i want is detect the execution of powershell and even all commands executed in my server.

    Now i'm able to see what it's executed with scripts, no with the config provided, i use configs like

    ```

    <Image condition="end with" name="T1086 -1">powershell.exe</Image>

    ```

    But if i execute powershell and then "live" commands, i see no event 1 in the sysmon.

    ¿what i'm doing wrong?¿What/how can i improve my monitoring?

    Tuesday, June 23, 2020 12:13 PM

All replies

  • FYI:

    Similar issue


    Dave

    Tuesday, June 23, 2020 8:23 PM
  • Hello

    firstly there was a regression in Sysmon 11.00 that affected some platforms so if you are seeing no process create events at all then try with Sysmon 11.10 first and if you are still seeing an issue ping me at syssite@microsoft.com and I will assist you.

    Assuming you are seeing some process create events but not others could you confirm that your TA1086 rule is in an include block and not the exclude block that is in your first config ?

    MarkC(MSFT)

    Wednesday, June 24, 2020 8:58 AM