I'm doing some testing with Sysmon version 13.02 and can't get some rules based on CommandLine to match.
The is my test config file:
<Sysmon schemaversion="4.50">
<EventFiltering>
<RuleGroup name="ProcessCreate - Include" groupRelation="or">
<ProcessCreate onmatch="include">
<CommandLine name="Net user contains" condition="contains">net user</CommandLine>
<CommandLine name="Net user begin with" condition="begin with">net user</CommandLine>
<Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="ProcessTerminate - Include" groupRelation="or">
<ProcessTerminate onmatch="include">
<!-- Empty rule set -->
</ProcessTerminate>
</RuleGroup>
</EventFiltering>
</Sysmon>
Running 'net user' from the command prompt only yields an event with 'Default catch' as the RuleName.
Neither of the CommandLine rules matches!
What am I doing wrong? Or is this a bug?
