ProcessCreate (EventID 1) does not print echo commands

[chrisanag1985]

Hi!!! As Sysmon For Linux doesn't support File Integrity, i am trying to create rules that have to do with editing a file under linux filesystem, like echo "test" > file.txt || echo "test" >> file.txt. But the ProcessCreate doesn't print these commands. I know that some commands like history, unset are not real commands(binaries), but echo command has a binary file. Is a problem of Sysmon or i do something wrong? Thanks in advance

  <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="include">
            <Image condition="is">/usr/bin/bash</Image>
            <Image condition="is">/usr/bin/echo</Image>
            <CommandLine condition="contains">echo</CommandLine>
      </ProcessCreate>
    </RuleGroup>

[MarioHewardt]

Hi - echo is a shell built-in in most circumstances:

$ type echo echo is a shell builtin

If you were to specifically run the echo binary (/usr/bin/echo) Sysmon will fire a ProcessCreate event.

[chrisanag1985]

Thanks for the clarification. So the bash doesn't use the /usr/bin/echo, but the built-in command. Thank you for your reply.