search

olafhartong / sysmon-modular

A repository of sysmon configuration modules
MIT License
2.62k stars 586 forks source link

My bad or an issue? registry_event exclude ending up in wrong place #88

Closed DkYSwe closed 2 years ago

DkYSwe commented 3 years ago

Hi,

Right or wrong, I tried to create a "12_13_14_registry_event" exclude file which should exclude everything not included using the include files. The file was named "exclude_everything.xml" (all other exclude files removed) and the content is:

<Sysmon schemaversion="4.30">
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <RegistryEvent onmatch="exclude">
        <TargetObject condition="begin with">HKLM</TargetObject>
        <TargetObject condition="begin with">HKU</TargetObject>
        <TargetObject condition="begin with">HKCR</TargetObject>
      </RegistryEvent>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

When creating the sysmonconfig.xml file, the rows above will end up at the end of XML file (below Event ID 25), see below:

<RuleGroup groupRelation="or">
      <RegistryEvent onmatch="exclude">
        <TargetObject condition="begin with">HKLM</TargetObject>
        <TargetObject condition="begin with">HKU</TargetObject>
        <TargetObject condition="begin with">HKCR</TargetObject>
      </RegistryEvent>
    </RuleGroup>
    <RuleGroup groupRelation="or">
      <PipeEvent onmatch="include">
        <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\atsvc</PipeName>
        <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msagent_</PipeName>
        <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msf-pipe</PipeName>
        <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName>
        <PipeName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="begin with">\srvsvc</PipeName>
        <PipeName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="begin with">\winreg</PipeName>
      </PipeEvent>
    </RuleGroup>
    <RuleGroup groupRelation="or">
      <FileDelete onmatch="exclude">
        <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
        <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
      </FileDelete>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Anything I'm doing wrong or is there a bug?
Download from Git on April 21th.

BR Daniel

olafhartong commented 2 years ago

the generation has been improved quite a bit, should be fixed by now, thanks for letting me know!