sysmon-config
sysmon-config copied to clipboard
SwiftOnSecurity
Issues with CommadnLine conditions "Testing Line Dllhost.exe exclusion"
Any:
Trying to understand config fully.
Under ProcessCreate onmatch='exclude' I expect that all processes created on the system running sysmon to be logged except what we specify in the stanza's below.
Line 76: <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
When the system creates a service using DLLHost.exe from system32 the system "does not" log the event. This is expected.
When I attempt to invoke the process interactively from "cmd.exe" the system logs the event.
Can someone explain why this is and what I need to do to test this rule interactively or explain why I cannot?
I'm new to working with Sysmon and I'm interested in this too. This is under Event ID 1 section. I've grabbed a few extra lines for context.
<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
<ProcessCreate onmatch="exclude">
<!--SECTION: Microsoft Windows-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
Sorry, I have been away for a few days.
Upgraded to 10.2 with same issues.
<RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="exclude"> <!--SECTION: Microsoft Windows--> <CommandLine condition="is">C:\Windows\system32\wermgr.exe -upload</CommandLine> <!--Windows:Windows error reporting/telemetry-->
This is excluded, note the section starting process on match = exclude
On Thu, 13 Jun 2019, 23:51 ClintRajaniemi, [email protected] wrote:
I'm new to working with Sysmon and I'm interested in this too. This is under Event ID 1 section. I've grabbed a few extra lines for context.
C:\Windows\system32\DllHost.exe /Processid — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/74?email_source=notifications&email_token=AAWYQ3DK6TAY3M6P3TIOO73P2LFPZA5CNFSM4HWERGB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXVHZBI#issuecomment-501906565, or mute the thread https://github.com/notifications/unsubscribe-auth/AAWYQ3A6YRNRGNQ754PEWSDP2LFPZANCNFSM4HWERGBQ .
That will depend on your config, are you logging cnd.exe events if so ut will log this. To answer your question, please pist config if you can.
On Sat, 8 Jun 2019, 07:36 johnyb0312, [email protected] wrote:
Any:
Trying to understand config fully.
Under ProcessCreate onmatch='exclude' I expect that all processes created on the system running sysmon to be logged except what we specify in the stanza's below.
Line 76: C:\Windows\system32\DllHost.exe /Processid
When the system creates a service using DLLHost.exe from system32 the system "does not" log the event. This is expected.
When I attempt to invoke the process interactively from "cmd.exe" the system logs the event.
Can someone explain why this is and what I need to do to test this rule interactively or explain why I cannot?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/74?email_source=notifications&email_token=AAWYQ3D6OICYAG5STLC677TPZNHPJA5CNFSM4HWERGB2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GYL37GA, or mute the thread https://github.com/notifications/unsubscribe-auth/AAWYQ3C2EGJTLDIV5R3RA53PZNHPJANCNFSM4HWERGBQ .