Config ProcessCreate - CommandLine contains "-S" parameter not logged

[Scrambled47]

Describe the bug We encountered an issue while setting up a config zu log "passwd -S" CommandLine. The bug doesn't appear with any of our other configuration.

To Reproduce Use the Sysmon Configuration below. Type CLI Command "passwd -S" while tail -f /var/log/syslog | grep "T1201" To verify the config type "passwd --status" while tail -f /var/log/syslog | grep "T1201"

Sysmon version Sysmon v1.2.0

Distro/kernel version Ubuntu 22.04.2 LTS - 5.4

Sysmon configuration

<Sysmon schemaversion="4.70">
 <EventFiltering>
 <!-- Event ID 1 == ProcessCreate. Log all newly created processes -->
  <RuleGroup name="" groupRelation="or">
   <ProcessCreate onmatch="include">
    <Rule name="T1201" groupRelation="and">
     <CommandLine condition="contains">passwd</CommandLine>
     <CommandLine condition="contains">-S</CommandLine>
    </Rule>
    <Rule name="T1201" groupRelation="and">
     <CommandLine condition="contains">passwd</CommandLine>
     <CommandLine condition="contains">--status</CommandLine>
    </Rule>
   </ProcessCreate>
  </RuleGroup>
 </EventFiltering>
</Sysmon>

Expected behavior Sysmon should generate a log for both "passwd -S" and "passwd --status" with RuleName "T1201".

[MarioHewardt]

Thanks for reporting this issue. Can you elaborate on - "The bug doesn't appear with any of our other configuration."?

[Scrambled47]

Thanks for your reply. That's a bit missleading from my side, sorry. I meant that the rest of our configuration which is build in this scheme `

command

 <CommandLine condition="contains">argument</CommandLine>

`

does work. Only the passwd -S combination does not trigger the Rule nor logs it.

[MarioHewardt]

Thanks for the clarification, appreciate it. I've identified the problem and I'm working on a fix.

[MarioHewardt]

This has now been fixed. Thanks again for reporting the issue!