olafhartong / sysmon-modular Goto Github PK

Hi all,

I've been thinking about an idea of sysmon modular. But what I want to do , it's similar what you've done.

My idea, it's the following: I've got two sysmon XML configuration file, one of them it's a sysmon configuration "Base" (I mean, like a template with common events) and another configuration file with particular events. What I would like to do, it's to find a way to mergue the particular configuration file into the base configuration.

This idea could be done with the Mergue-SysmonXml.ps1? Or it could be modify to achieve this idea? In that case, what could I modify to try it?.

Best regards and thanks for your time and effort.

Hi,

Right or wrong, I tried to create a "12_13_14_registry_event" exclude file which should exclude everything not included using the include files. The file was named "exclude_everything.xml" (all other exclude files removed) and the content is:

<Sysmon schemaversion="4.30">
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <RegistryEvent onmatch="exclude">
        <TargetObject condition="begin with">HKLM</TargetObject>
        <TargetObject condition="begin with">HKU</TargetObject>
        <TargetObject condition="begin with">HKCR</TargetObject>
      </RegistryEvent>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

When creating the sysmonconfig.xml file, the rows above will end up at the end of XML file (below Event ID 25), see below:

<RuleGroup groupRelation="or">
    <RegistryEvent onmatch="exclude">
      <TargetObject condition="begin with">HKLM</TargetObject>
      <TargetObject condition="begin with">HKU</TargetObject>
      <TargetObject condition="begin with">HKCR</TargetObject>
    </RegistryEvent>
  </RuleGroup>
  <RuleGroup groupRelation="or">
    <PipeEvent onmatch="include">
      <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\atsvc</PipeName>
      <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msagent_</PipeName>
      <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msf-pipe</PipeName>
      <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName>
      <PipeName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="begin with">\srvsvc</PipeName>
      <PipeName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="begin with">\winreg</PipeName>
    </PipeEvent>
  </RuleGroup>
  <RuleGroup groupRelation="or">
    <FileDelete onmatch="exclude">
      <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
      <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
    </FileDelete>
  </RuleGroup>
</EventFiltering>
</Sysmon>

Anything I'm doing wrong or is there a bug?
Download from Git on April 21th.

BR
Daniel

Error: Incorrect XML configuration: .\sysmonconfig.xml
Reason: Element 'ProcessTampering' is unexpected according to content model of parent element 'RuleGroup'.
Expecting: ProcessCreate, FileCreateTime, NetworkConnect, ProcessTerminate, DriverLoad, ImageLoad, CreateRemoteThread, RawAccessRead, ProcessAccess, FileCreate, RegistryEvent, FileCreateStreamHash, PipeEvent, WmiEvent, DnsQuery, FileDelete, ClipboardChange.

Test-SysmonConfiguration : Schema version 4.2 is not supported.
Au caractère C:\PSSysmonTools\PSSysmonTools\Code\ConfigurationMerger.ps1:128 : 33

• ... ionResult = Test-SysmonConfiguration -Path $PolicyFullPath -ErrorActi ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Test-SysmonConfiguration

Hi,

Line 2181 & Line 2185 of the config file needs a change:

FileDelete instead of FileDeleteDetected.

Kind regards

How does this work? Aren't they mutually exclusive?

I am getting an error with the latest update sysmonconfig.xml (https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml) when updating or installing new.

Error: Incorrect XML configuration: .\sysmonconfig.xml
At line 5, column 11: DTD is prohibited.

I am using windows 10 pro-OS. while generating a config file using below command(using PowerShell) I am not getting any error but after completing the process, sysmonconfig.xml is able to generate with an empty file

$>. .\Merge-SysmonXml.ps1
$> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml

The following rules don't detect activity unless we take the backslash at the end out since it is a registry value.

<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>

Hello

I've just noticed that the ^ (hat) symbol in https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_dosfuscation.xml is actually a UNICODE character and not the ASCII version.

The ASCII version acts as a concatenation operator in CMD.EXE but the UNICODE version does not appear to (at least on Windows 10). I think you probably intended to use the ASCII variant.

Thanks

Kev

Hi

While running the script after executing "Import-Module .\PSSysmonTools.psm1 ", its throwing error

The term 'Merge-SysmonXMLConfiguration' is not recognized as the name of a cmdl
et, function, script file, or operable program. Check the spelling of the name,
or if a path was included, verify that the path is correct and try again.
At H:\HELK\sysmon-modular\Generate-Sysmon-config.ps1:28 char:188

• Get-ChildItem -Path . -Filter *.xml -Recurse -ErrorAction SilentlyContinue |
  Where {$_.Name -NotMatch "sysmonconfig(?:-\d{2}-\w{3}-\d{4}-\d{2}-\d{2})?.xml"}
  | Merge-SysmonXMLConfiguration <<<< -ReferencePolicyPath .\baseconfig.xml -Ex
  cludeMergeComments | Out-File sysmonconfig.xml -Encoding UTF8
  • CategoryInfo : ObjectNotFound: (Merge-SysmonXMLConfiguration:St
    ring) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Please suggest

The goal of this feature is to include tactic name, tactic id, sub-technique name and sub-technique id to every single rule.

Benefits:

• Allow for checking Sysmon rules against the latest MITRE ATT&CK for valid and invalid Tactics, Techniques, and Sub-techniques
• Allow for full MITRE ATT&CK Mappings to Sysmon Events into a SIEM (For alerting and dashboarding)
• Allow for scripting to automatically export an attack navigator file

So the rule:
<OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName>

Would become:
<OriginalFileName name="tactic_id=TA0007,tactic_name=Discovery,technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName>

The example of a sub-technique would then be:
<OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName>

Which would become:
<OriginalFileName name="tactic_id=TA0007,tactic_name=Discovery,technique_id=T1518,technique_name=Software Discovery,subtechnique_id=T1518.001,subtechnique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName>

This format works well with all of the current rules. This pairs well with: #79

Any questions or issues with this feature? 🤔

In file 12_13_14_registry_event/include_windows_credential_providers.xml

<TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject>

Shoud be:
<TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\</TargetObject>

Same error was reported to SwiftOnSecurity but not fixed
https://github.com/SwiftOnSecurity/sysmon-config/issues?q=securityproviders

Hi Olafhartong,
I am trying implement your scripts and am getting the below errors?
I am using sysmon 11.10
System Monitor v11.10 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.30
Sysmon schema version: 4.32
Error: Incorrect XML configuration: sysmonconfig.xml
Reason: Element 'TargetFilename' is unexpected according to content model of parent element 'ProcessAccess'.
Expecting: Rule, RuleName, UtcTime, SourceProcessGUID, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGUID, TargetProcessId, TargetImage, GrantedAccess, CallTrace.

do you know of a fix for this?

thanks in advance

Hi,

Congrats for this great work!
just suggesting a few more exlclusions :)

TREND MICRO AV:
<Sysmon schemaversion="3.4">  <ProcessCreate onmatch="exclude"> <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>       <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe</Image>       <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe</Image>       <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe</Image> </ProcessCreate>

SOPHOS AV:
<Sysmon schemaversion="3.4">  <ProcessCreate onmatch="exclude"> Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe</Image> </ProcessCreate>

ESET NOD32 AV:
<Sysmon schemaversion="3.4">  <ProcessCreate onmatch="exclude"> <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>     </ProcessCreate>

MALWAREBYTES ANTIMALWARE:
<Sysmon schemaversion="3.4">     <ProcessCreate onmatch="exclude">     <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image>     <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image>     <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image>     </ProcessCreate>

KASPERSKY AV:
<Sysmon schemaversion="3.4">  <ProcessCreate onmatch="exclude"> <Image condition="begin with">C:\Program Files\Kaspersly Lab\</Image>     </ProcessCreate>

WINDOWS DEFENDER (Win 8+):
<Sysmon schemaversion="3.4">  <ProcessCreate onmatch="exclude"> <Image condition="contains">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>     </ProcessCreate>

NB: Kaspersky and Windows Defender leverage non-consistent paths (depending on antimalware/engine version), so that I believe the only solution is to use the "contains" operand, even if less efficient on the perfs side.

My 2 cents,

--
Phil

Hi.

I'm following your instructions, but PSSysmonTools doesn't allow scheme 4.1. How do you generate config?

When running Merge-SysmonXMLConfiguration, the following error is given.

`Merge-SysmonXMLConfiguration : The schema version of C:\Temp\sysmon-modular-master\sysmonconfig.xml () does not match that of the reference configuration:
C:\Temp\sysmon-modular-master\baseconfig.xml (4.10)
At line:1 char:78

• ... yContinue | Merge-SysmonXMLConfiguration -ReferencePolicyPath .\basec ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Merge-SysmonXMLConfiguration`

No changes were made after downloading the repository. New sysmonconfig.xml is also 95 KB larger than the one that is downloaded in the respository.

I was looking Event ID 15 in sysmonconfig.xml file. While I found that there are 3 exact similar entries of
"<TargetFilename condition="contains">Downloads</TargetFilename>".
Those redundant entries are needed in XML, if it is, what is it used for?

On this line, the technique id should be "T1053" instead of "1053":
<ImageLoaded name="technique_id=1053,technique_name=Scheduled Task" condition="end with">taskschd.dll</ImageLoaded>

I see there are several files where HashAlgorithms is defined and they're all capturing all hashes. If I just want to capture IMPHASH, where should I change it that will work with the merge? I tried changing it in Merge-SysmonXml.ps1 but that didn't work. Thank you in advance.

The following rules don't detect activity unless we take the backslash at the end out since it is a registry value.

<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>

Hi,

Have you developed a script to automatically generate the Json file for the mitre attack navigator ??

Thanks

File is partial duplicate and can be removed. 11_file_create/include_ms_office_documents_with_macros - Copy.xml

Rule name in Line 152 and Line 156 are same, Line 156 should have CMSTP instead of mavinject.

Hello there,

I´ve tried to look first on the closed issues and could not find anything that resolve the problem i´m getting:

1- Loaded the . .\Merge-SysmonXml.ps1
2 - Executed the command Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | Out-File sysmonconfig.xml

And then errors:

Method invocation failed because [System.IO.StringWriter] does not contain a method named 'new'.
At C:\temp\sysmon-modular\Merge-SysmonXml.ps1:60 char:17
+                 $sw = [System.IO.StringWriter]::new()
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

You cannot call a method on a null-valued expression.
At C:\temp\sysmon-modular\Merge-SysmonXml.ps1:68 char:17
+                 $sw.Dispose()
+                 ~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Merge-SysmonXml : Cannot bind argument to parameter 'Source' because it is null.
At C:\temp\sysmon-modular\Merge-SysmonXml.ps1:55 char:47
+             $newDoc = Merge-SysmonXml -Source $newDoc -Diff $XmlDocs[$i]
+                                               ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Merge-SysmonXml], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Merge-SysmonXml

Method invocation failed because [System.Xml.XmlDocument] does not contain a method named 'new'.
At C:\temp\sysmon-modular\Merge-SysmonXml.ps1:36 char:13
+             $doc = [xml]::new()
+             ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

Thanks for the attention

#24 adds several exclusions for Trend Micro Deep Security agents that otherwise add noise to process logs.

When running the Merge-SysmonCMLConfiguration from a fresh pull of PSSysmonTools and sysmon-modular it throws the error :

`Test-SysmonConfiguration : The 'onmatch' attribute is invalid - The value 'Exclude' is invalid according to its datatype 'urn:schemas-specterops.io:SysmonConfiguration:IncludeExcludeType' - The
Enumeration constraint failed.
At C:\Users\c11900\Documents\Engineering\sysmon\SysmonTools\PSSysmonTools\PSSysmonTools\Code\ConfigurationMerger.ps1:75 char:44

• ... ionResult = Test-SysmonConfiguration -Path $ReferencePolicyFullPath - ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Test-SysmonConfiguration`

Not sure if it matters since I wasn't able to compile a config to run but this on Schema v 4.1 and sysmon v 8.0.0.

tasklist.exe

Line 11: https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_living_of_the_land.xml#L11

Line 58: https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_living_of_the_land.xml#L58

qprocess.exe

Line 14: https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_living_of_the_land.xml#L14

Line 53: https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_living_of_the_land.xml#L53

Is there an item for ParentImage?

The top-level tag is incomplete in "exclude_lsass_noise.xml" (https://github.com/olafhartong/sysmon-modular/blob/master/10_process_access/exclude_lsass_noise.xml)

Looks like the encoding on sysmonconfig.xml has changed to UCS-2 LE BOM, generated by Azure Pipeline. UCS-2 LE BOM is also the default if you execute Merge-SysmonXml.ps1 with powershell version 5.1. The file size is double of UTF-8. Not sure of the implication, but may be something worth look into?

I was wondering the benefit of using Modular File Management vs Single Config File Management? Why do you consider it easier to use multiple files and then compile? Trying to figure out what the best case is for my use case. Thanks. #

Hi,

I am new to sysmon and experimenting with configs from this repository.
Now I have installed a clean client with my baseline settings and I get a lot triggers for the rules T1130/T1089.
I came to the conclusion that this happens after every GPUpdate since my settings tell the client to process every object even if these have not changed.

Would there be a good way to filter this events. One possibility I see is to filter based on the Image which did the change. In this case it would be svchost.exe. Now I wonder if this would lead to missing out on critical detections.

Thx Bernhard

Title says it all, I don't see any reference to the sysmonconfig.xml file that is already included when you git clone the repository. Clearly creates a different ruleset that what you get when you combine all the modular configs as instructed in your readme. If you can explain the difference, I would appreciate it.

Hi again,

same thing, for network trafic belonging to antimalwares solutions: connection to management server, cloud based services, etc. Quite noisy.

TRENDMICRO AV:
<NetworkConnect onmatch="exclude"> <Image condition="is">C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe</Image>       <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>  </NetworkConnect>

SOPHOS ANTIVIRUS:
 <NetworkConnect onmatch="exclude"> <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>       <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>       <Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image>  </NetworkConnect>

ESET NOD32 AV:
 <NetworkConnect onmatch="exclude"> <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>  </NetworkConnect>

HTH.

--
Phil

We've had something unusual crop up. From the report I've received.

Users using a flash drive will cut and paste a file off of their drive and get the attached error. .sys"

I've tried excluding the specific file that was causing the error, error continues. I've also completely removed .sys" from event ID 11, and the issue is still present.

I've reverted back to an old config file from before I implemented modular sysmon, the issue no longer was preset. I am doing more testing on my end to pin this down.

If you find something let me know, if I beat you to it I'll let you know.

The BSOD seems to stem from fastfat.sys, but only happens when using modular sysmon config.

Hey Olaf,

thanks a lot for your work. I was debugging some Sysmon stuff you've been reporting and I'm wondering whether rules such as

      <RuleGroup groupRelation="or">
        <DriverLoad onmatch="exclude">
          <Signature condition="begin with">Intel </Signature>
          <Signature condition="contains">microsoft</Signature>
          <Signature condition="contains">windows</Signature>
        </DriverLoad>
      </RuleGroup>

might be risky. I guess it would be possible, for example, to get a code signing certificate for a legit entity called something like "WindowSwift" - or "windowswift". Signing authorities might raise questions if I use words such as "Intel" (Intelspace in the rules) and certainly they would complain about "Microsoft", but "windowswift" seems unrelated enough to be granted.

What do you think?

Fantastic work on doing the mapping; love it!

We use a modified version of either yours or Swift's config and remove entries from certain areas to reflect what we want to see in our environment. With modular, it'd be super handy if we could have a file of things we want to remove that the script would reference when it's done putting things together that would then remove those entries.

That way, we could update from the git when there's a change and not have to manually go remove entries from the final product.

Thanks!

right now there are 2 files in process creation directory with names:

• include_living_off_the_land.xml
• include_living_of_the_land.xml

with almost identical content.
I think maybe one of these files is redundant and should be deleted. I also checked that contents of both files exist in sysmonconfig.xml then maybe this causes some inconsistencies in sysmon log generation

Using Sysmon 13.01 In some win10x64 PCs I am facing tons of network connect logs when single RDP connection is established and used for a while. Any ideas how to deal with it? Are you facing the same?

Hi,

Congrats for this great work!
just suggesting a few more exlclusions, regarding the Microsoft Azure Sentinel SIEM's agent :)

PROCESS CREATION

<Sysmon schemaversion="4.22"> <EventFiltering> <RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="exclude"> <Rule groupRelation="and"> <ParentCommandLine condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding</ParentCommandLine> <CommandLine condition="is">C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs</CommandLine> <!--Microsoft Sentinel SIEM agent, based on MOM--> </Rule> </ProcessCreate> </RuleGroup> </EventFiltering> </Sysmon>

PIPE CREATION:

<Sysmon schemaversion="4.22"> <EventFiltering> <RuleGroup name="" groupRelation="or"> <PipeEvent onmatch="exclude"> <Image condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"</Image> <!--Microsoft Sentinel SIEM agent, based on MOM--> </PipeEvent> </RuleGroup> </EventFiltering> </Sysmon>

My 2 cents,

--
Phil

I'm getting the following created in the event log.

`The description for Event ID 10 from source Microsoft-Windows-Sysmon cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

technique_id=T1003,technique_name=Credential Dumping
2019-01-03 16:01:06.470
EV_RenderedValue_2.00
820
8872
C:\Windows\system32\svchost.exe
EV_RenderedValue_6.00
740
C:\Windows\system32\lsass.exe
5120
C:\Windows\SYSTEM32\ntdll.dll+a5fc4|C:\Windows\System32\KERNELBASE.dll+5d8e4|c:\windows\system32\lsm.dll+f6fb|C:\Windows\System32\RPCRT4.dll+784a3|C:\Windows\System32\RPCRT4.dll+dbc6d|C:\Windows\System32\RPCRT4.dll+a8dc|C:\Windows\System32\RPCRT4.dll+5a214|C:\Windows\System32\RPCRT4.dll+5912d|C:\Windows\System32\RPCRT4.dll+599db|C:\Windows\System32\RPCRT4.dll+39b5c|C:\Windows\System32\RPCRT4.dll+39fdc|C:\Windows\System32\RPCRT4.dll+542ec|C:\Windows\System32\RPCRT4.dll+55b4b|C:\Windows\System32\RPCRT4.dll+4864a|C:\Windows\SYSTEM32\ntdll.dll+2864e|C:\Windows\SYSTEM32\ntdll.dll+29fb9|C:\Windows\System32\KERNEL32.DLL+8364|C:\Windows\SYSTEM32\ntdll.dll+6e851
`

We've had sysmon 7 running on this machine for several months but I don't think it's had ProcessAccess logging enabled, so I've not seen this before.

Hello,

please how to make the script work With the Merge-AllsysmonXml option because when I launch the script I don't get an error but the configuration file sysmonconfig.xml is empty.

my $PSVersionTable

Name Value

PSVersion 5.1.18362.628
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.628
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

thanks a lot

When Generate-Sysmon-config.ps1 is run and has a condition="is" the condition is stripped from the filter row. Please clarify if this is intended.

Before merge:

<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->

After merge:
<Image>C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image>

Hi Olaf and thanks for the great work!
Will the sysmon-modular work also for sysmon 9.0?

Cheers,

momilor

What may be the reason ?

COMPLETE ERROR MESSAGE
Merge-AllSysmonXml : Cannot bind argument to parameter 'Path' because it is null.
At line:1 char:26

• Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | O ...

•                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Merge-AllSysmonXml], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Merge-AllSysmonXml

It's not related to this thing but I wanted to know is there a way to Map Kill Chain phases ? or is it already done somehow. ??

Please Guide.

When I try to paste the command Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | Out-File sysmonconfig.xml in Powershell in give me the following error.

Merge-AllSysmonXml : The term 'Merge-AllSysmonXml' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:1 char:1

• Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | ...

•   + CategoryInfo          : ObjectNotFound: (Merge-AllSysmonXml:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  
  
  

And Secondly: I don't have Merge-AllSysmonXml in my directory

The goal of this feature is to provide a way for an analyst to easily check their Sysmon rules against the latest MITRE ATT&CK Framework.

Benefits:

• Find valid and invalid Tactics and Techniques to fix in their Sysmon rule names
• Identify all Sysmon rules that match the latest framework

Features of the script:

• Check a single file for valid tactics, techniques or subtechniques
• Check a modular folder for valid tactics, techniques or subtechniques
• Use latest MITRE ATT&CK enterprise-attck.json from GitHub for comparison
• Use local enterprise-attck.json file for comparison
• Export valid rules for Attack Navigator (Sysmon-modular.json)
• Ingest loaded MITRE ATT&CK into Elasticsearch cluster (Index - mitre_attck)
• Display table view of MITRE-ATT&CK and rules found from Sysmon configs (with file paths they live in)
• Display table view of Sysmon rules and if they are valid tactics, techniques or subtechniques

Basically, this will be the swiss army knife for all things MITRE ATT&CK and comparing them to the Sysmon rules the analysts wish to address.

This would also take care of #50

This script will work best with the full MITRE ATT&CK properties. Watch for incoming feature request / issue on this.

Hi,

I have been testing the latest master branch with the latest sysmon, I have customised by removing some of the rules for tools i do not use, i have also added a new rule as below. From my testing though it seems part of the config is not applying, My rule is not applied and generates alot of events, if i dump the config with sysmon -c , picking some key executables from the config i cannot find them in the dump, where as if i use swiftonsecuritys z-alpha config i can find matching words.

Below is my 10_process_access config and an example of portion of the event firing still. Also event 12 seems to hit alot whereas z-alpha doesnt, comparing the configs i cannot see why it would be triggering unless the event hides the actual reg path. I have tried your default config and seem to have similar events triggering with the obvious inclusion of sfc.exe.

Any suggestions/tests?

Process accessed:
RuleName:
UtcTime: 2019-10-30 07:47:08.072
SourceProcessGUID: {d1bab7ef-51e6-5dad-0000-001046290400}
SourceProcessId: 4336
SourceThreadId: 9040
SourceImage: C:\Program Files\Cisco\AMP\6.3.7\sfc.exe

Registry object added or deleted:
RuleName:
EventType: CreateKey
UtcTime: 2019-10-30 07:51:16.454
ProcessGuid: {d1bab7ef-51e5-5dad-0000-001017940300}
ProcessId: 2408
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKCR

Thanks