I'm learning Sysmon and is doing some testing with v13.02 and can't get rules based on OriginalFileName to match.
This is my test config file:
<Sysmon schemaversion="4.50">
<EventFiltering>
<RuleGroup name="ProcessCreate - Include" groupRelation="or">
<ProcessCreate onmatch="include">
<OriginalFileName name="Original filename catch" condition="is">net.exe</OriginalFileName>
<Image name="Default catch" condition="is">C:\Windows\System32\net.exe</Image>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="ProcessTerminate - Include" groupRelation="or">
<ProcessTerminate onmatch="include">
<!-- Empty rule set -->
</ProcessTerminate>
</RuleGroup>
</EventFiltering>
</Sysmon>
The result is an event logged with the 'Default catch' RuleName even though the event contents shows that the OriginalFileName
is net.exe.
Process Create:
RuleName: Default catch
UtcTime: 2021-04-15 14:53:08.216
ProcessGuid: {952ebdeb-5354-6078-d205-000000006700}
ProcessId: 2548
Image: C:\Windows\System32\net.exe
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user
<snip>
What am I missing? Or is this a bug?