I've been testing the brand new Sysmon v13.10 the last couple of hours and found what I believe are possible
(parser?) bugs:
First, FileCreate rules generate events for seemingly unmatched files.
This rule:
<Rule name="Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access" groupRelation="and">
<Image condition="image">chrome.exe</Image>
<TargetFilename condition="end with">.bat</TargetFilename>
</Rule>
generate events such as:
File created:
RuleName: Technique_id=T1566.001 a,Sub_Technique_name=Spearphishing Attachment,Technique_name=Phishing,Tactic=Initial Access
UtcTime: 2021-04-23 07:08:18.332
ProcessGuid: {952ebdeb-7208-6082-7c04-000000006b00}
ProcessId: 1112
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\<my_user_here>\AppData\Local\Google\Chrome\User Data\Local State~RF5588b88.TMP
CreationUtcTime: 2021-04-23 07:08:18.332
Note the .TMP file ending in the event and the .bat ending in the rule. It's also worth noting that this is the first FileCreate rule for Chrome in
my ruleset. I haven't confirmed it but my gut feeling tells my the rule some how matches ALL files creates by Chrome.
Second, I've found a similar problem with RegistryEvents.
Rules like this (with filtering on EventType to reduce the number of matches):
<Rule name="Technique_id=T1543.003,Sub_Technique_name=Windows Service,Technique_name=Create or Modify System Process,Tactic=Privilege Escalation/Persistence" groupRelation="and">
<EventType condition="is">SetValue</EventType>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject>
<TargetObject condition="end with">\ImagePath</TargetObject>
</Rule>
now generate events on registry keys such as these:
TargetObject: HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\SigUpdateTimestampsSinceLastHB
TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Input\TypingInsights\Insights
TargetObject: HKU\S-1-5-21-3498627903-1158335656-2156597041-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings\SafeSearchMode
i.e. completely unrelated registry keys.
The matching rule is ALWAYS the first rule using the EventType filter and this rule changes to the next (first) if I comment it out.
And the amount of logged events are somewhat large.
Can someone please confirm? (Or deny ;-)