can't exclude event with sysmon v10.42

[soukoye]

Hi all, (Thanks SwiftOnSecurity for your work)

I try to simply exclude events like "ping 8.8.8.8" but no effect! Os = Win7 (on virtualbox) Sysmon = 10.42 XML = sysmon-config from SwiftOnSecurity

1) Take your xml and load sysmon: Sysmon64.exe -c SysmonConfig.xml 2) Test ping 8.8.8.8 in cmd.exe 3) Sysmon log in eventviewer:

Process Create:
RuleName: technique_id=T1059,technique_name=Command-Line Interface
...
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping  8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

4) Then put exclusions in your XML (put a lot because i try everything to block it)

    <ProcessCreate onmatch="exclude">
        <Image condition="is">C:\Windows\system32\ping.exe</Image>
        <ParentCommandLine condition="is">C:\Windows\System32\cmd.exe</ParentCommandLine>
        <ParentImage condition="end with">\System32\cmd.exe</ParentImage>
        <CommandLine condition="contains">ping.exe</CommandLine>
        <CommandLine condition="contains">cmd.exe</CommandLine>
        <CommandLine condition="contains">sysmon</CommandLine>
        ...

5) Update sysmon with new rules:

Sysmon64.exe -c SysmonConfig.xml
        Loading configuration file with schema version 4.22
        Sysmon schema version: 4.23
        Configuration file validated.
        Configuration updated.

6) Test ping 8.8.8.8 in cmd.exe
7) Same log in eventviewer than before

RuleName: technique_id=T1059,technique_name=Command-Line Interface
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping  8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

Am i missing something ? Even try debug mode (Sysmon64.exe -t -i SysmonConfig.xml) but seems disable in 10.42

regards

[cyberkryption]

Hi soukoye,

Did you try just ping.exe in uppercase like your example event.

Excluding cmd.exe parent events neans that you will have no visibility into anything typed in a vommand prompt mist likely. Always try to make your exclusions granular.

I would look at exluding network connections to 8.8.8.8

Cheers

Cyberkryption

On Tue, 24 Dec 2019, 12:32 soukoye, notifications@github.com wrote:

Hi all, (Thanks SwiftOnSecurity for your work)

I try to simply exclude events like "ping 8.8.8.8" but no effect! Os = Win7 (on virtualbox) Sysmon = 10.42 XML = sysmon-config from SwiftOnSecurity

1) Take your xml and load sysmon: Sysmon64.exe -c SysmonConfig.xml 2) Test ping 8.8.8.8 in cmd.exe 3) Sysmon log in eventviewer:

Process Create: RuleName: technique_id=T1059,technique_name=Command-Line Interface ... Image: C:\Windows\System32\PING.EXE OriginalFileName: ping 8.8.8.8 CommandLine: C:\sysmon\ ParentImage: ndows\System32\cmd.exe ParentCommandLine: "C:\Windows\System32\cmd.exe"

4) Then put exclusions in your XML (put a lot because i try everything to block it)

C:\Windows\system32\ping.exe C:\Windows\System32\cmd.exe \System32\cmd.exe ping.exe cmd.exe sysmon ... *5) Update sysmon with new rules:* Sysmon64.exe -c SysmonConfig.xml Loading configuration file with schema version 4.22 Sysmon schema version: 4.23 Configuration file validated. Configuration updated. *6) Test ping 8.8.8.8 in cmd.exe 7) Same log in eventviewer than before* RuleName: technique_id=T1059,technique_name=Command-Line Interface Image: C:\Windows\System32\PING.EXE OriginalFileName: ping 8.8.8.8 CommandLine: C:\sysmon\ ParentImage: ndows\System32\cmd.exe ParentCommandLine: "C:\Windows\System32\cmd.exe" Am i missing something ? Even try debug mode (Sysmon64.exe -t -i SysmonConfig.xml) but seems disable in 10.42 regards — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub , or unsubscribe .

[soukoye]

Hi cyberkryption,

Yes PING.EXE was my first try, but no effect. I don't want to exclude cmd.exe parent events because i know it's important. It was just for my test: even exclude cmd.exe not working

Cheers

[kpsmiley23]

Hey all, (Thanks to everyone that has contributed and continues to contribute to this repo...Great work!)

My env... Sysmon.exe version 10.42 Windows 10 1709+ SwiftOnSecurity config with some custom additions

I'm also not having much luck with certain exclusions in this config, but regarding registry and DNS events rather than process creation events.

I don't want to start excluding general groups of filter rules to stop a few noisy ones...

Thanks!

[wyodoc1]

I also have same issue having gone to 10.42 so I went back to a basic pull of version 71 added simple splunk exclusion to EventID 1

        <!--SECTION: TEST-->
        <Image condition="begin with">C:\splunk\bin\</Image>
        <ParentImage condition="is">C:\splunk\bin\splunkd.exe</ParentImage>
        <!--SECTION: Microsoft Windows-->"

I can see that it is in the running config: Rule configuration (version 4.22):

• ProcessCreate onmatch: exclude combine rules using 'Or' Image filter: begin with value: 'C:\splunk\bin\' ParentImage filter: is value: 'C:\splunk\bin\splunkd.exe' CommandLine filter: begin with value: '"C:\Windows\system32\wermgr.exe" "-queuereporting_svc"' CommandLine filter: begin with value: 'C:\Windows\system32\DllHost.exe /Processid'

Yet still seeing events being included this seems like a bug in the parsing again for 10.42 version?