sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard

Published 20 hours ago verified publisher icon SwiftOnSecurity

EventID 15: FileCreateStreamHash recording N times in eventviewer

Open Yuvraj-Takey opened this issue 4 years ago • 3 comments

After enabling the FileCreateStreamHash event in sysmon, I am downloading one file from the browser, but in the event viewer, it is showing N(sometimes 3,4) entries of the same file (This same problem I am facing in my WinAPI code, there also I am receiving N event logs of the same entry). This is my config file

` <Sysmon schemaversion="11.0">

<!-- Capture the hashes -->
<!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<!-- no use now : <HashAlgorithms> sha256,IMPHASH, md5 </HashAlgorithms> -->
<!-- <HashAlgorithms onmatch="include"/> -->
<HashAlgorithms>*</HashAlgorithms>

<EventFiltering>
	<FileCreateStreamHash onmatch="include">
	<!--	<TargetFilename condition="contains">Downloads</TargetFilename> Downloaded files. Does not include "Run" files in IE-->
		<TargetFilename condition="contains">Temp\7z</TargetFilename> <!-- 7zip extractions-->
		<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
		<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
		<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
		<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
		<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
		<TargetFilename condition="end with">.ppt</TargetFilename> <!--Office doc potentially with macros-->
		<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
		<TargetFilename condition="end with">.ps2</TargetFilename> <!--PowerShell-->
		<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
		<TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
		<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
		<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
		<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
		<TargetFilename condition="end with">.pdf</TargetFilename> <!-- PDF files-->
		<TargetFilename condition="end with">.msi</TargetFilename> <!--Windows Installer Packag-->
		<TargetFilename condition="end with">.exe</TargetFilename> <!--Windows Executable-->
		<TargetFilename condition="end with">.dll</TargetFilename> <!--Windows Executable-->
	</FileCreateStreamHash>
	
	<RuleGroup name="" groupRelation="or">
	<FileCreateStreamHash onmatch="exclude">
	</FileCreateStreamHash>
	
</RuleGroup>
</EventFiltering>
`

Yuvraj-Takey avatar Jun 12 '20 05:06 Yuvraj-Takey

This is not a Sysmon issue, this is due to the behaviour of urlmon.dll https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms775123%28v%3Dvs.85%29, the library responsible for downloading files via HTTP. This opens and closes the stream multiple times to append MOTW information.

On Fri, Jun 12, 2020 at 7:14 AM YUVRAJ TAKEY [email protected] wrote:

After enabling the FileCreateStreamHash event in sysmon, I am downloading one file from the browser, but in the event viewer, it is showing 3 entries of the same file (This same problem I am facing in my WinAPI code, there also I am receiving 3 event logs of the same entry). This is my config file

`

<HashAlgorithms>*</HashAlgorithms>

Temp\7z Startup .bat .cmd .hta .lnk .ppt .ps1 .ps2 .reg .jse .vb .vbe .vbs .pdf .msi .exe .dll

`

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6FXC66PFM2ZQUQB4FTLLDRWG2R7ANCNFSM4N4ACPEA .

--

-- https://olafhartong.nl +31 6 20604042

olafhartong avatar Jun 12 '20 07:06 olafhartong

@olafhartong okay, thanks for the information. Is it any way to reduce this redundant event log to 1, through the system or sysmon utility?

Yuvraj-Takey avatar Jun 12 '20 08:06 Yuvraj-Takey

not as far as I know, sorry

On Fri, Jun 12, 2020 at 10:07 AM YUVRAJ TAKEY [email protected] wrote:

@olafhartong https://github.com/olafhartong Is it any way to reduce this redundant event log through the system or sysmon utility?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/121#issuecomment-643135831, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6FXC3WO72ZZ5POUBUTUFTRWHO3RANCNFSM4N4ACPEA .

--

-- https://olafhartong.nl +31 6 20604042

olafhartong avatar Jun 15 '20 12:06 olafhartong