question

JanLinhart-5017 avatar image
0 Votes"
JanLinhart-5017 asked JanLinhart-5017 answered

Sysmon13.33

Does sysmon suport wildcards, for instance:

Sysmon schemaversion="4.60">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<Rule groupRelation="and">
<SourceImage condition="end with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe</SourceImage>
<TargetImage condition="end with">C:\Windows\Explorer.EXE</TargetImage>
</Rule>
</ProcessAccess>
</RuleGroup>
</EventFiltering>
</Sysmon>

to write as:

Sysmon schemaversion="4.60">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<Rule groupRelation="and">
<SourceImage condition="end with">C:\Windows\Microsoft.NET\Framework\v*\NGenTask.exe</SourceImage>
<TargetImage condition="end with">C:\Windows\Explorer.EXE</TargetImage>
</Rule>
</ProcessAccess>
</RuleGroup>
</EventFiltering>
</Sysmon>

or else, for instance applications or documents under c:/user/?/

etc

thank you

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

cooldadtx avatar image
0 Votes"
cooldadtx answered

I haven't verified but you should be able to do basically what you want using the begins with and ends with conditions. You can group multiple conditions for a single filter using and and or. 

<SourceImage condition="end with">\NGenTask.exe</SourceImage>


That should filter out any process that isn't called ngentask which I would wager would only be the framework. However if you wanted to include the path then you probably could do something like this but I haven't tested it.

<SourceImage condition="end with">\NGenTask.exe</SourceImage>
<SourceImage condition="begin with">C:\Windows\Microsoft.NET\Framework\v</SourceImage>


Alternatively you might be able to get this to work with contains all.

<SourceImage condition="contains all">C:\Windows\Microsoft.NET\Framework\v;\NGenTask.exe</SourceImage>


The documentation is here so you can get a better idea of the options.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanLinhart-5017 avatar image
0 Votes"
JanLinhart-5017 answered

Thank you, it makes all sense now :)

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.