SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Sysmon Config: RuleName Field Value not showing the entire string

Open Cyb3rWard0g opened this issue 4 years ago • 1 comments

Hello Team,

I noticed that there might be a limit for the length of strings even when I set the following in the Sysmon config:

<FieldSizes>RuleName:1000</FieldSizes>

Sample Sysmon Config:

<!--
  Technique: Obfuscated Files or Information: Binary Padding
-->
<Sysmon schemaversion="4.81">
   <FieldSizes>RuleName:1000</FieldSizes>
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="include">
        <Rule name="TechniqueID=T1027.001,TechniqueName=Obfuscated Files or Information: Binary Padding" groupRelation="and">
            <Image condition="is">/bin/dd</Image>
            <CommandLine condition="contains all">dd;if=</CommandLine>
        </Rule>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Triggering Rule

echo 'hello' > wardog.txt
dd if=/dev/zero bs=1 count=1 >> wardog.txt

Results:

wardog@UBUNTU5:~$ sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1
Event SYSMONEVENT_CREATE_PROCESS
        RuleName: TechniqueID=T1027.001,TechniqueName=Obfuscated Files or
        UtcTime: 2021-10-17 07:28:43.678
        ProcessGuid: {ed37ca6a-d0ab-616b-60cc-3fd656550000}
        ProcessId: 18386
        Image: /bin/dd
        FileVersion: -
        Description: -
        Product: -
        Company: -
        OriginalFileName: -
        CommandLine: dd if=/dev/zero bs=1 count=1
        CurrentDirectory: /home/wardog
        User: wardog
        LogonGuid: {ed37ca6a-b6fc-616b-e803-000000000000}
        LogonId: 1000
        TerminalSessionId: 1151
        IntegrityLevel: no level
        Hashes: -
        ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
        ParentProcessId: 11020
        ParentImage: -
        ParentCommandLine: -
        ParentUser: -

Image:

image

Cyb3rWard0g avatar Oct 17 '21 07:10 Cyb3rWard0g

Hi, this still seem to be an issue, made a fresh install of sysmon for linux on a new Debian 11 (bullseye) VM and Rule names got shortend.

Rule name="TechniqueID=T1059.004,TechniqueName=Command and Scripting Interpreter: Unix Shell was shortend to: TechniqueID=T1059.004,TechniqueName=Command and Scriptin and Rule name="TechniqueID=T1053.003,TechniqueName=Scheduled Task/Job: Cron" was trunkated to TechniqueID=T1053.003,Te

t08 avatar Apr 05 '22 13:04 t08

Marked as bug (possibly related to #75)

MarioHewardt avatar Mar 13 '23 15:03 MarioHewardt

There was an issue with the rule names which I just fixed. If you want to give it a try and let me know that would be great. For now you will have to build since we haven't published a new package yet.

MarioHewardt avatar Mar 15 '23 23:03 MarioHewardt

Closing for now. If the above fix does not resolve the issue please feel free to re-open.

MarioHewardt avatar Mar 20 '23 19:03 MarioHewardt