none
Sysmon 11.10 Not Logging All EventCode 23 Events RRS feed

  • Question

  • We recently upgraded a small test group from Sysmon 11.0 to Sysmon 11.10 to address the bugs discussed for 11.0. After upgrading,  we performed some basic testing to make sure the new features were working as expected. Some of the new features (specifically related to alternate data streams) seemed to work as expected. However, we noticed that Event Code 23 was no longer being logged (and files were not being copied-on-delete) as expected and determined by our configuration file.

    Additional testing found that the only event being logged (for Event Code 23) was Powershell deleting a PSScriptPolicyTest file. No other deletes made during our testing were logged or copied-on-delete. For a sanity check, we reverted back to 11.0 using the exact same configuration file and found that Event Code 23 events were once again being logged as expected.

    There seems to be some major issues with Event Code 23 for Sysmon 11.10.

    • Edited by jwilczek22 Friday, June 26, 2020 2:28 PM
    Friday, June 26, 2020 2:27 PM

All replies

  • Hello

    Thank you for reporting. I am currently investigating this issue and will revert shortly.

    MarkC(MSFT)

    Monday, June 29, 2020 6:28 AM
  • Thanks! Please feel free to let me know if I can provide additional debugging support.
    Monday, June 29, 2020 1:06 PM
  • Until the issue with Sysmon is fixed you could use the following way:

    If you would still like to track process creation then you can fall-back to Windows Security Auditing. The Event ID 4688 gives similar results as Sysmon Event ID 1. By default, process tracking is not enabled, you need to do this via the Group Policy Editor (Audit Process Tracking).

    Monday, June 29, 2020 1:27 PM
  • The issue here is file delete events not process create. As far as I am aware there are no issues with Sysmon Process Create events with 11.10.

    MarkC(MSFT)

    Tuesday, June 30, 2020 9:40 AM
  • I'm thinking I'm seeing similar symptoms, but never had 11.0 up and working before downloading the latest.  I do see SOME file deletion events, but not all.

    Is there a place that I could download the 11.0 version for my testing?

    Thanks


    Tuesday, June 30, 2020 8:52 PM
  • I can also confirm that I am seeing the same issue with event code 23s on 11.1.  Sysmon appears to be creating event 23s and capturing the files for system background activities.  Any files that I delete as a user (with 'del') are not generating alerts or being captured.  If I delete a file with explorer nothing is generated until I empty the trash.

    Thanks.

    Thursday, July 2, 2020 12:33 PM
  • Hello

    I was able to identify the root cause of this regression and can confirm that Mark R. is currently working on it. An update should be available soon.

    MarkC(MSFT)

    Friday, July 3, 2020 12:06 PM
  • I just tested 11.11 and can confirm that this issue is still present.
    Wednesday, July 15, 2020 3:26 PM
  • I just tried delete ability/function and it didn't work for me. 

    I can see the Archive folder gets created but in the root of the C:\ drive. I have sysmon monitoring C:\Demo, I thought the archive folder would get created inside the Demo folder and not the root directory. 

    Any thoughts? 

    I uninstalled sysmon 11.10, rebooted and installed sysmon 11.11, but I can't seem to get sysmon to save the text file I am working with.

    • Edited by Pappy_C Wednesday, July 15, 2020 5:40 PM
    Wednesday, July 15, 2020 5:37 PM
  • It seems like there may be some confusion regarding the Archive folder. Per my understanding, it must be at the root of C:\ and can be any name you want. All deletes (again, per my understanding since documentation is scarce) should go to the Archive folder you specify in your config, not a subfolder in the path you are monitoring.

    I'm not sure what you mean by "save the text file".


    • Edited by jwilczek22 Wednesday, July 15, 2020 5:49 PM Typo
    Wednesday, July 15, 2020 5:48 PM
  • Sorry I meant to say. I saved the "test" text file in the demo directory.

    Later deleted it from the demo directory, and it never showed up in the Archive folder.

    Wednesday, July 15, 2020 5:53 PM
  • That's the same behavior we're seeing with the addition that an EventCode 23 log event  is also not created.
    Wednesday, July 15, 2020 7:44 PM
  • I just tested this again and it appears to be working for me.

    In the simplest case if I do the following:

    dir > test.txt

    del test.txt

    The event code 23 is correctly logged. This was not the case in Sysmon 11.10. Moreover if I open a file with the delete on close bit set this too is logged correctly. Again this was not the case in 11.10.

    Could you describe your test to me so that I can try to reproduce?

    MarkC(MSFT)

    Thursday, July 16, 2020 6:04 AM
  • After some additional testing this morning, I have the following to report:

    I started with the config provided below.

    <FileDelete onmatch="include">
         <TargetFilename condition="contains">\Downloads\</TargetFilename>
    </FileDelete>

    With that configuration, I repeated your test (dir > test.txt, del test.txt) and saw an EventCode 23... the first time. I repeated that test moments later and nothing was logged. I also never was able to get anything to log  for other file extensions (PDF, EXE, DLL, CSV, etc).

    As a next test, I changed my filter to an empty exclude:

    <FileDelete onmatch="exclude">
    </FileDelete>

    With the configuration file set in this manner, all of my tests succeeded (deleting from command line, deleting from explorer, various extensions, etc.).

    While I would agree Event Code 23 appears to be working in 11.11, it now looks like there's a bug in the rule logic (unless  I have a typo in my include rule that I am overlooking). If this is the case, does the issue impact Event Code 23 only or all Event Codes?

    Thursday, July 16, 2020 1:03 PM
  • Interesting. Thanks for the additional information. I will take a look

    MarkC(MSFT)

    Monday, July 20, 2020 6:55 AM
  • Has there been any update on this? Are you seeing the same issues?

    Thank you,

    Josh

    Friday, July 24, 2020 1:26 PM
  • Can you please provide an update on this?

    Thank you!

    Tuesday, August 11, 2020 5:05 PM