none
sysmon filtering exclude/include advice sought

    Question

  • I am trying to create a sysmon config that would exclude ImageLoad of all Microsoft signed DLLs but at the same time capture/log the loading of System.Management.Automation.dll and System.Management.Automation.ni.dll, both of which are signed by Microsoft. This would allow the detection of powershell execution without the use of powershell.exe interpreter, similar to this https://cobbr.io/InsecurePowershell-PowerShell-Without-System-Management-Automation.html 

    However, since exclude (of all Microsoft signed dlls) overrides include it doesn't seem I can do this. Can anyone think of a trick that would allow me to accomplish this?

    Friday, December 21, 2018 6:38 PM

All replies

  • Hello

    Seems like you might be able to use condition="exclude" for this as this matches on strings that don't contain the value. OTOH something along the lines of

    <ImageLoad onmatch="exclude">

        <Image condition="exclude">System.Management.Automation</Image>

    </ImageLoad>

    I haven't tried it though so let me know if you can't get it to work and I'll take a look for you.

    MarkC (MSFT)

    Thursday, December 27, 2018 7:33 PM
  • Hmmm... Maybe I misunderstand what you mean. Here is what I am trying to do:

    <ImageLoad onmatch="exclude">
       <Signature condition="is">Microsoft Windows</Signature>
       <Signature condition="is">Microsoft Corporation</Signature>
    </ImageLoad>
    <ImageLoad onmatch="include">
       <ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
    <ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded> </ImageLoad>
    However both of those dlls are actually signed by "Microsoft Windows", so they won't be captured. I don't want to capture the loading of thousands of other MS-signed DLLs, but I want to know when these two are loaded. How do I do this?
    Wednesday, January 2, 2019 4:48 PM