SwiftOnSecurity
can't exclude event with sysmon v10.42
Hi all, (Thanks SwiftOnSecurity for your work)
I try to simply exclude events like "ping 8.8.8.8" but no effect! Os = Win7 (on virtualbox) Sysmon = 10.42 XML = sysmon-config from SwiftOnSecurity
1) Take your xml and load sysmon: Sysmon64.exe -c SysmonConfig.xml 2) Test ping 8.8.8.8 in cmd.exe 3) Sysmon log in eventviewer:
Process Create:
RuleName: technique_id=T1059,technique_name=Command-Line Interface
...
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping 8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe"
4) Then put exclusions in your XML (put a lot because i try everything to block it)
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\system32\ping.exe</Image>
<ParentCommandLine condition="is">C:\Windows\System32\cmd.exe</ParentCommandLine>
<ParentImage condition="end with">\System32\cmd.exe</ParentImage>
<CommandLine condition="contains">ping.exe</CommandLine>
<CommandLine condition="contains">cmd.exe</CommandLine>
<CommandLine condition="contains">sysmon</CommandLine>
...
5) Update sysmon with new rules:
Sysmon64.exe -c SysmonConfig.xml
Loading configuration file with schema version 4.22
Sysmon schema version: 4.23
Configuration file validated.
Configuration updated.
6) Test ping 8.8.8.8 in cmd.exe 7) Same log in eventviewer than before
RuleName: technique_id=T1059,technique_name=Command-Line Interface
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping 8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe"
Am i missing something ? Even try debug mode (Sysmon64.exe -t -i SysmonConfig.xml) but seems disable in 10.42
regards
Hi soukoye,
Did you try just ping.exe in uppercase like your example event.
Excluding cmd.exe parent events neans that you will have no visibility into anything typed in a vommand prompt mist likely. Always try to make your exclusions granular.
I would look at exluding network connections to 8.8.8.8
Cheers
Cyberkryption
On Tue, 24 Dec 2019, 12:32 soukoye, [email protected] wrote:
Hi all, (Thanks SwiftOnSecurity for your work)
I try to simply exclude events like "ping 8.8.8.8" but no effect! Os = Win7 (on virtualbox) Sysmon = 10.42 XML = sysmon-config from SwiftOnSecurity
1) Take your xml and load sysmon: Sysmon64.exe -c SysmonConfig.xml 2) Test ping 8.8.8.8 in cmd.exe 3) Sysmon log in eventviewer:
Process Create: RuleName: technique_id=T1059,technique_name=Command-Line Interface ... Image: C:\Windows\System32\PING.EXE OriginalFileName: ping 8.8.8.8 CommandLine: C:\sysmon
ParentImage: ndows\System32\cmd.exe ParentCommandLine: "C:\Windows\System32\cmd.exe"4) Then put exclusions in your XML (put a lot because i try everything to block it)
C:\Windows\system32\ping.exe C:\Windows\System32\cmd.exe \System32\cmd.exe ping.exe cmd.exe sysmon ...5) Update sysmon with new rules:
Sysmon64.exe -c SysmonConfig.xml Loading configuration file with schema version 4.22 Sysmon schema version: 4.23 Configuration file validated. Configuration updated.
6) Test ping 8.8.8.8 in cmd.exe 7) Same log in eventviewer than before
RuleName: technique_id=T1059,technique_name=Command-Line Interface Image: C:\Windows\System32\PING.EXE OriginalFileName: ping 8.8.8.8 CommandLine: C:\sysmon
ParentImage: ndows\System32\cmd.exe ParentCommandLine: "C:\Windows\System32\cmd.exe"Am i missing something ? Even try debug mode (Sysmon64.exe -t -i SysmonConfig.xml) but seems disable in 10.42
regards
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/103?email_source=notifications&email_token=AAWYQ3GXK5F2TXG2F2JUE23Q2H6NDA5CNFSM4J657JVKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4ICQAVJA, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYQ3CYPDN7A6XX2A5XKJTQ2H6NDANCNFSM4J657JVA .
Hi cyberkryption,
Yes PING.EXE was my first try, but no effect. I don't want to exclude cmd.exe parent events because i know it's important. It was just for my test: even exclude cmd.exe not working
Cheers
Hey all, (Thanks to everyone that has contributed and continues to contribute to this repo...Great work!)
My env... Sysmon.exe version 10.42 Windows 10 1709+ SwiftOnSecurity config with some custom additions
I'm also not having much luck with certain exclusions in this config, but regarding registry and DNS events rather than process creation events.
I don't want to start excluding general groups of filter rules to stop a few noisy ones...
Thanks!
I also have same issue having gone to 10.42 so I went back to a basic pull of version 71 added simple splunk exclusion to EventID 1
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!--SECTION: TEST-->
<Image condition="begin with">C:\splunk\bin\</Image>
<ParentImage condition="is">C:\splunk\bin\splunkd.exe</ParentImage>
<!--SECTION: Microsoft Windows-->"
I can see that it is in the running config: Rule configuration (version 4.22):
- ProcessCreate onmatch: exclude combine rules using 'Or' Image filter: begin with value: 'C:\splunk\bin' ParentImage filter: is value: 'C:\splunk\bin\splunkd.exe' CommandLine filter: begin with value: '"C:\Windows\system32\wermgr.exe" "-queuereporting_svc"' CommandLine filter: begin with value: 'C:\Windows\system32\DllHost.exe /Processid'
Yet still seeing events being included this seems like a bug in the parsing again for 10.42 version?
