none
sysmon 9.1 truncating Image Name data RRS feed

  • Question

  • This shows up in the raw event before our siem which grabs it forwards it on. It also isn't something that happens on all boxes. I've uninstalled and reinstalled this one with the same results. It doesn't do this with all events either. This one is pretty constant though.

    See the <Data Name='Image'>ndows\SysWOW64

    <Event xmlns='hxxp://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698AAAA9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-07-16T12:59:15.690172900Z'/><EventRecordID>24188</EventRecordID><Correlation/><Execution ProcessID='6704' ThreadID='9452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>host40113.domain.com</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>2019-07-16 12:59:15.674</Data><Data Name='UtcTime'>㬈톲쨣崭</Data><Data Name='ProcessGuid'>{581B1000-78C0-0674-0000-43003A005C00}</Data><Data Name='ProcessId'>6881367</Data><Data Name='Image'>ndows\SysWOW64\NETSTAT.EXE</Data><Data Name='FileVersion'>10.0.17134.1 (WinBuild.160101.0800)</Data><Data Name='Description'>TCP/IP Netstat Command</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='CommandLine'>netstat -aon -p TCP</Data><Data Name='CurrentDirectory'>C:\Program Files (x86)\Tanium\Tanium Client\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{D1B23B08-F52C-5D26-0000-0020E7030000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>SHA256=9A8D0D04F1B52FB3AEB6ABA42936903EEFBE6B72221DE9852B1B3A4D8244E690,IMPHASH=4A124D4C214DBB24BCE7F0447B727173</Data><Data Name='ParentProcessGuid'>{D1B23B08-CA23-5D2D-0000-0010452BC078}</Data><Data Name='ParentProcessId'>14004</Data><Data Name='ParentImage'>C:\Windows\SysWOW64\cmd.exe</Data><Data Name='ParentCommandLine'>cmd /c netstat -aon -p TCP</Data></EventData></Event>

    Tuesday, July 16, 2019 1:26 PM

All replies

  • Just tried with the latest version, 10.02 and that specific exe was logged correctly..

    System Monitor v10.2 - System activity monitor
    Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com

    How do you start netstat from the syswow64 folder?? Is a 32 bit process that starts it?

    First thing first, I would update it to the latest version.. at least on the machine where you repro almost costantly ..

    HTH
    -mario

    Tuesday, July 16, 2019 1:43 PM
  • It looks like some of the fields may be misaligned. The rulename and ProcessID for example look a bit squiffy.

    If you would be prepared to share your Sysmon event log with us could you contact me offline at syssite@microsoft.com and I will provide you with a location to upload it (or you can email it to me if it is short enough).

    MarkC (MSFT)

    Wednesday, July 17, 2019 9:58 AM