sysmon: "Details" interaction with "Newname" causes (Incorrect Field Details) error

Question

question

McGahanTimothyCIO-5151 asked Mar 18, '22 McGahanTimothyCIO-5151 commented Mar 18, '22

sysmon: "Details" interaction with "Newname" causes (Incorrect Field Details) error

https://docs.microsoft.com/en-us/answers/questions/332062/sysmon-help-im-unable-to-filter-on-eid-13-data-nam.html

It's been a year, and I'm still getting this error. Can anyone help me out here?

Somehow, this rulegroup creates the error. If I delete JUST "NewName", sysmon validates the conf with no problem (No "Incorrect Field Details")

 <Rule groupRelation="and">
   <TargetObject name="x" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
   <EventType name="x" condition="is">CreateKey</EventType>
   <NewName name="x" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</NewName>
 </Rule>

[1]: /answers/storage/attachments/184701-image.png

windows-sysinternals-sysmon

image.png (56.2 KiB)

image.png (98.3 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

McGahanTimothyCIO-5151 · Mar 18 at 06:17 PM

Troubleshooting

0 ·

image.png (69.8 KiB)

Answer 1 · 2022-03-18T18:16:37.263Z

McGahanTimothyCIO-5151 answered Mar 18, '22 McGahanTimothyCIO-5151 commented Mar 18, '22

Trouble shooting the interrelation between groups with "Details" in them and those without.

image.png (69.8 KiB)

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

McGahanTimothyCIO-5151 · Mar 18 at 06:29 PM

This group is what's causing the "Incorrect Field Details" error on my un-altered configuration:

 <Rule groupRelation="and">
   <TargetObject name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
   <EventType name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="is">CreateKey</EventType>
   <NewName name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</NewName>
 </Rule>

It's the only one in my configuration with "NewName".

0 ·

McGahanTimothyCIO-5151 McGahanTimothyCIO-5151 · Mar 18 at 06:42 PM

I removed JUST that line that contained "NewName" and my conf passed.

0 ·

McGahanTimothyCIO-5151 McGahanTimothyCIO-5151 · Mar 18 at 06:52 PM

If I changed the "NewName" field to "Details" in that group, my configuration passes.

     <Rule groupRelation="and">
       <TargetObject name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
       <EventType name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="is">CreateKey</EventType>
       <Details name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</Details>
     </Rule>

0 ·

question