question

McGahanTimothyCIO-5151 avatar image
0 Votes"
McGahanTimothyCIO-5151 asked McGahanTimothyCIO-5151 commented

sysmon: "Details" interaction with "Newname" causes (Incorrect Field Details) error

https://docs.microsoft.com/en-us/answers/questions/332062/sysmon-help-im-unable-to-filter-on-eid-13-data-nam.html


It's been a year, and I'm still getting this error. Can anyone help me out here?

Somehow, this rulegroup creates the error. If I delete JUST "NewName", sysmon validates the conf with no problem (No "Incorrect Field Details")

 <Rule groupRelation="and">
   <TargetObject name="x" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
   <EventType name="x" condition="is">CreateKey</EventType>
   <NewName name="x" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</NewName>
 </Rule>



184692-image.png


[1]: /answers/storage/attachments/184701-image.png


windows-sysinternals-sysmon
image.png (56.2 KiB)
image.png (98.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Troubleshooting

184647-image.png


0 Votes 0 ·
image.png (69.8 KiB)

1 Answer

McGahanTimothyCIO-5151 avatar image
0 Votes"
McGahanTimothyCIO-5151 answered McGahanTimothyCIO-5151 commented

Trouble shooting the interrelation between groups with "Details" in them and those without.

184646-image.png



image.png (69.8 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This group is what's causing the "Incorrect Field Details" error on my un-altered configuration:

 <Rule groupRelation="and">
   <TargetObject name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
   <EventType name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="is">CreateKey</EventType>
   <NewName name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</NewName>
 </Rule>

It's the only one in my configuration with "NewName".


0 Votes 0 ·

I removed JUST that line that contained "NewName" and my conf passed.

0 Votes 0 ·

If I changed the "NewName" field to "Details" in that group, my configuration passes.

     <Rule groupRelation="and">
       <TargetObject name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</TargetObject>
       <EventType name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="is">CreateKey</EventType>
       <Details name="technique_id=AO.TA0005.T1562.001.001,technique_name=Disable Security Events Logging Adding Reg Key MiniNt" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\MiniNt</Details>
     </Rule>
0 Votes 0 ·