cc-sir
commented
1 month ago I also encountered the same problem, and my version is the latest version 1.3.3. This is why and there is any temporary solution? Thanks!
Open DodoK94 opened 9 months ago
cc-sir
commented
1 month ago I also encountered the same problem, and my version is the latest version 1.3.3. This is why and there is any temporary solution? Thanks!
Describe the bug All events ID 11 - File Create are missing values in TargetFilename field. Only dash (-) is being shown. Works OK for event ID 23 - File Delete - path and filename is present.
To Reproduce Happened with both default config ("catch all" and custom configs)
Sysmon version Tested on both 1.3.0 and newest 1.3.1
Distro/kernel version Linux xxx 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 20.04LTS
Sysmon configuration Tested with default catch all config. Tested this one: https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/main.xml and tested couple of custom configurations, all with same results - events are being collected but TargetFilename field is empty.
Logs Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:58:58.151 ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000} ProcessId: 3045565 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:58:58.151 User: isd_poc_security Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:58:58.151 ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000} ProcessId: 3045565 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:58:58.151 User: isd_poc_security Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:58:58.151 ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000} ProcessId: 3045565 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:58:58.151 User: isd_poc_security Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:09.978 ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000} ProcessId: 3045565 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:09.978 User: isd_poc_security Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:14.168 ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000} ProcessId: 3045567 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:14.168 User: - Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:14.168 ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000} ProcessId: 3045567 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:14.168 User: - Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:14.168 ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000} ProcessId: 3045567 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:14.168 User: - Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:21.021 ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000} ProcessId: 3045567 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:21.021 User: - Event SYSMONEVENT_FILE_CREATE RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution UtcTime: 2023-10-23 09:59:21.030 ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000} ProcessId: 3045567 Image: /usr/bin/vim.basic TargetFilename: - CreationUtcTime: 2023-10-23 09:59:21.030 User: -
Expected behavior A path and file name is expected in TargetFilename same way as for ID 23 file delete. Without this information it is not possible to investigate events and perform filtering in config file.
Thank you. Regards, Jozef