One can reliably create ProcessGUID collisions from different ProcessCreate events by launching non-Position Independent Executables (PIE) within a second. This has been an issue for me, trying to correlate events.
It looks like ProcessGUIDs are created by combining a few pieces of information:
Although most executables on Linux distributions are compiled as PIE, it's not a guaranteed and it's not obvious that Sysmon GUID generation could produce duplicates in this scenario.
Perhaps instead of just using something like the text segment location, other data could be packed into the ProcessKey as well. There's 64 bits to work with and these addresses for PIEs will only have ~28 bits of randomness (measured on default Ubuntu systems with paxtest).
One can reliably create ProcessGUID collisions from different ProcessCreate events by launching non-Position Independent Executables (PIE) within a second. This has been an issue for me, trying to correlate events.
It looks like ProcessGUIDs are created by combining a few pieces of information:
Although most executables on Linux distributions are compiled as PIE, it's not a guaranteed and it's not obvious that Sysmon GUID generation could produce duplicates in this scenario.
Perhaps instead of just using something like the text segment location, other data could be packed into the ProcessKey as well. There's 64 bits to work with and these addresses for PIEs will only have ~28 bits of randomness (measured on default Ubuntu systems with
paxtest
).