It is not possible to obtain the hashes of any type of algorithm in any event.

Describe the bug It is not possible to obtain the hashes of any image/file. It appears empty (<>-</>).

To Reproduce

Load the custom configuration to capture events (attached below in this issue).
Execute a command that creates a file and then a command that deletes the file, for example:

touch /tmp/e11.log
rm /tmp/e11.log

Sysmon version v1.2.0 from repo:

╰─# sysmon -h     

Sysmon v1.2.0 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Licensed under MIT/GPLv2
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.

╰─# apt show sysmonforlinux                         
Package: sysmonforlinux
Version: 1.2.0
Maintainer: Sysinternals <syssite@microsoft.com>
Installed-Size: 60.3 MB
Depends: libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5), libxml2 (>= 2.7.4), sysinternalsebpf (>= 1.2.0)
Download-Size: 1764 kB
APT-Manual-Installed: yes
APT-Sources: https://packages.microsoft.com/ubuntu/22.04/prod jammy/main amd64 Packages
Description: A system monitor based on eBPF, ported from Windows, that outputs events to Syslog

Distro/kernel version

╭─root@202-u20-dev-agent /tmp 
╰─# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04 LTS
Release:    22.04
Codename:   jammy
╭─root@202-u20-dev-agent /tmp 
╰─# uname -a      
Linux 202-u20-dev-agent 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Sysmon configuration

<Sysmon schemaversion="4.81">
  <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
            <!-- Event ID 1 == ProcessCreate. Log all newly created processes -->
        <ProcessCreate onmatch="exclude"/>
         <!-- Event ID 3 == NetworkConnect Detected. Log all network connections -->
        <NetworkConnect onmatch="exclude"/>
        <!-- Event ID 4 == Sysmon service state changed, non filter -->
        <!-- Event ID 5 == ProcessTerminate. Log all processes terminated -->
        <ProcessTerminate onmatch="exclude" />
        <!-- Event ID 9 == RawAccessRead. Log all raw access read -->
        <RawAccessRead onmatch="exclude"/>
        <!-- Event ID 10 == ProcessAccess. Log all open process operations -->
        <ProcessAccess onmatch="exclude"/>
        <!-- Event ID 11 == FileCreate. Log every file creation -->
        <FileCreate onmatch="exclude" />
        <!-- Event ID 16 == ServiceConfigurationChange, non filter -->
        <!--Event ID 23 == FileDelete. Log all files being deleted -->
        <FileDelete onmatch="exclude" />
    </EventFiltering>
</Sysmon>

Logs

Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.135708000Z"/><EventRecordID>2549</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.136</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-f6c4-ad8b37560000}</Data><Data Name="ProcessId">6182</Data><Data Name="Image">/usr/bin/touch</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">touch /tmp/e11.log</Data><Data Name="CurrentDirectory">/root</Data><Data Name="User">root</Data><Data Name="LogonGuid">{924935dc-fbf9-647d-0000-000001000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">7</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{924935dc-3c57-647e-0ddf-87b869550000}</Data><Data Name="ParentProcessId">6160</Data><Data Name="ParentImage">/usr/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">root</Data></EventData></Event>
Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.136160000Z"/><EventRecordID>2550</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.137</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-f6c4-ad8b37560000}</Data><Data Name="ProcessId">6182</Data><Data Name="Image">/usr/bin/touch</Data><Data Name="TargetFilename">/tmp/e11.log</Data><Data Name="CreationUtcTime">2023-06-05 19:58:34.137</Data><Data Name="User">-</Data></EventData></Event>
Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.136231000Z"/><EventRecordID>2551</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.137</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-f6c4-ad8b37560000}</Data><Data Name="ProcessId">6182</Data><Data Name="Image">/usr/bin/touch</Data><Data Name="User">root</Data></EventData></Event>
Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.138147000Z"/><EventRecordID>2552</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.137</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-5655-174564550000}</Data><Data Name="ProcessId">6183</Data><Data Name="Image">/usr/bin/rm</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">rm /tmp/e11.log</Data><Data Name="CurrentDirectory">/root</Data><Data Name="User">root</Data><Data Name="LogonGuid">{924935dc-fbf9-647d-0000-000001000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">7</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{924935dc-3c57-647e-0ddf-87b869550000}</Data><Data Name="ParentProcessId">6160</Data><Data Name="ParentImage">/usr/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">root</Data></EventData></Event>
Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.139025000Z"/><EventRecordID>2553</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.139</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-5655-174564550000}</Data><Data Name="ProcessId">6183</Data><Data Name="User">-</Data><Data Name="Image">/usr/bin/rm</Data><Data Name="TargetFilename">/tmp/e11.log</Data><Data Name="Hashes">-</Data><Data Name="IsExecutable">-</Data><Data Name="Archived">-</Data></EventData></Event>
Jun  5 19:58:34 202-u20-dev-agent sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-06-05T19:58:34.139134000Z"/><EventRecordID>2554</EventRecordID><Correlation/><Execution ProcessID="6140" ThreadID="6140"/><Channel>Linux-Sysmon/Operational</Channel><Computer>202-u20-dev-agent</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-06-05 19:58:34.139</Data><Data Name="ProcessGuid">{924935dc-3e6a-647e-5655-174564550000}</Data><Data Name="ProcessId">6183</Data><Data Name="Image">/usr/bin/rm</Data><Data Name="User">-</Data></EventData></Event>

Expected behavior In the events with id 1, 5 and 23 I expected to see in EventData the hashes of the files and the image of the process, something like:

<Data Name="Hashes">HA1=B0BF5AC2E81BBF597FAD5F349FEEB32CAC449FA2, MD5=6A255BEBF3DBCD13585538ED47DBAFD7, SHA256=4668BB2223FFB983A5F1273B9E3D9FA2C5CE4A0F1FB18CA5C1B285762020073C, IMPHASH=2505BD03D7BD285E50CE89CEC02B333B
</Data>

But I get::

<Data Name="Hashes">-</Data>

Additional context I have only been able to find a Microsoft blog entry where they refer to the fields that are supported and attach the following link to see the events: https://github.com/OTRF/OSSEM-DD/tree/main/linux/sysmon

Thank you for viewing this issue and if you have more documentation on the supported events it will be gladly received!

Sysinternals / SysmonForLinux

It is not possible to obtain the hashes of any type of algorithm in any event. #131