question

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 asked MichaelN-3711 answered

Possible parser bugs in Sysmon v13.10?

I've been testing the brand new Sysmon v13.10 the last couple of hours and found what I believe are possible
(parser?) bugs:

First, FileCreate rules generate events for seemingly unmatched files.

This rule:

 <Rule name="Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access" groupRelation="and">
         <Image condition="image">chrome.exe</Image>
         <TargetFilename condition="end with">.bat</TargetFilename>
 </Rule>

generate events such as:

File created:
RuleName: Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access
UtcTime: 2021-04-23 07:08:18.332
ProcessGuid: {952ebdeb-7208-6082-7c04-000000006b00}
ProcessId: 1112
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\<my_user_here>\AppData\Local\Google\Chrome\User Data\Local State~RF5588b88.TMP
CreationUtcTime: 2021-04-23 07:08:18.332

Note the .TMP file ending in the event and the .bat ending in the rule. It's also worth noting that this is the first FileCreate rule for Chrome in
my ruleset. I haven't confirmed it but my gut feeling tells my the rule some how matches ALL files creates by Chrome.

Second, I've found a similar problem with RegistryEvents.

Rules like this (with filtering on EventType to reduce the number of matches):

 <Rule name="Technique_id=T1543.003,Sub_Technique_name=Windows Service,Technique_name=Create or Modify System Process,Tactic=Privilege Escalation/Persistence" groupRelation="and">
     <EventType condition="is">SetValue</EventType>
     <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject>
     <TargetObject condition="end with">\ImagePath</TargetObject>
 </Rule>

now generate events on registry keys such as these:

TargetObject: HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\SigUpdateTimestampsSinceLastHB

TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Input\TypingInsights\Insights

TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings\SafeSearchMode

i.e. completely unrelated registry keys.
The matching rule is ALWAYS the first rule using the EventType filter and this rule changes to the next (first) if I comment it out.
And the amount of logged events are somewhat large.

Can someone please confirm? (Or deny ;-)

windows-sysinternals-sysmon
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am experiencing this as well across all event types. Seems like sysmon is interpreting rule statements in groupRelation sections as "OR" conditions when you specify "AND".

Otherwise, Sysmon seems to be honoring AND/OR condition types as expected for rule statements not in groupRelation sections.

I've passed this thread along to developers via the syssite email alias.

0 Votes 0 ·

@dstaulcu Thanks for your confirmation and for the escalation! Let's hope a fixed version is released soon!

0 Votes 0 ·

No problem. Thanks to you as well. The product only gets better with effort on both sides (user and developer). I for one am hyper-focused on pathways to stabilize ruleGroup functionality.

0 Votes 0 ·

I am also being hammered by Image Load and Registry Events logs in v13.10. Logs are being generated by unmatched rules like you have pointed out.

0 Votes 0 ·
MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

If anyone is interested, this bug is fixed in Sysmon v13.20 released on May 25th.

Thanks to all Microsoft developers who continue to make an excellent product even better!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

foxmsft avatar image
0 Votes"
foxmsft answered JanLinhart-5017 commented

Could you provide a little more context from the config? I'm interested in seeing the full event that encloses the quoted rules.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have has similar issue where sysmon upgraded to 13.10 with same config shovelled Event ID12 with no particular reason:

https://github.com/olafhartong/sysmon-modular/issues/96

0 Votes 0 ·
MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered MichaelN-3711 commented

@foxmsft I'm not really sure what you mean by "the full event"!? Here are some more context though:

 <EventFiltering> 
    
     <!-- Other event types sorted in event id order -->
    
     <RuleGroup name="FileCreate - Include" groupRelation="or">
         <FileCreate onmatch="include">
            
             <!-- Lots of filters based on TargetFilename only -->
                
             <!-- This is the first FileCreate rule with Image filter -->
             <Rule name="Technique_id=T1566,Sub_Technique_name=Executable file created by cmd.exe,Technique_name=Phishing,Tactic=Initial Access" groupRelation="and">
                 <Image condition="image">cmd.exe</Image>
                 <TargetFilename condition="end with">.bat</TargetFilename>
             </Rule>
                
             <!-- More rules in similar style -->
                
         </FileCreate>
     </RuleGroup>
        
     <!-- Other event types sorted in event id order -->
        
     <RuleGroup name="RegistryEvent - Include" groupRelation="or">
         <RegistryEvent onmatch="include">
            
             <!-- Lots of filters based on TargetObject only -->
            
             <!-- This is the first RegistryEvent Rule with EventType filter -->
             <Rule name="Technique_id=T1543.003,Sub_Technique_name=Windows Service,Technique_name=Create or Modify System Process,Tactic=Privilege Escalation/Persistence" groupRelation="and">
                 <EventType condition="is">SetValue</EventType>
                 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject>
                 <TargetObject condition="end with">\ImagePath</TargetObject>
             </Rule>
                
             <!-- More rules in similar style and filters based on TargetObject only -->
                
         </RegistryEvent>
     </RuleGroup>
        
     <!-- Other event types sorted in event id order -->
    
 </EventFiltering>
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Also, the included rules above are not the first rules in the rule groups. They are how ever the first rules using other filters than TargetFilename and TargetObject respectively.

0 Votes 0 ·