Closed Scrambled47 closed 11 months ago
Thanks for reporting this issue. Can you elaborate on - "The bug doesn't appear with any of our other configuration."?
Thanks for your reply. That's a bit missleading from my side, sorry. I meant that the rest of our configuration which is build in this scheme
`
<CommandLine condition="contains">argument</CommandLine>
`
does work. Only the passwd -S combination does not trigger the Rule nor logs it.
Thanks for the clarification, appreciate it. I've identified the problem and I'm working on a fix.
This has now been fixed. Thanks again for reporting the issue!
Describe the bug We encountered an issue while setting up a config zu log "passwd -S" CommandLine. The bug doesn't appear with any of our other configuration.
To Reproduce Use the Sysmon Configuration below. Type CLI Command "passwd -S" while tail -f /var/log/syslog | grep "T1201" To verify the config type "passwd --status" while tail -f /var/log/syslog | grep "T1201"
Sysmon version Sysmon v1.2.0
Distro/kernel version Ubuntu 22.04.2 LTS - 5.4
Sysmon configuration
Expected behavior Sysmon should generate a log for both "passwd -S" and "passwd --status" with RuleName "T1201".