Blog Post

Sysinternals Blog
1 MIN READ

Sysmon v15.14

Alex_Mihaiuc's avatar
Alex_Mihaiuc
Icon for Microsoft rankMicrosoft
Feb 13, 2024
Sysmon v15.14 This update to Sysmon resolves a service crash on configuration change and a rare system crash.  
Published Feb 13, 2024
Version 1.0
it82373's avatar
it82373
Copper Contributor
May 16, 2024

During my testing I came across an issue where excludes do not seem to work properly for some Registry events.

 

Below are the details, but I wonder whether this comment section is the correct location for issues/bug reports? I know that there is a forum, but this seems to be pretty much ignored. I know that a contact address is specified in the text file on the live.sysinternals.com page but I am not sure whether it is appropriate to send bug reports there? Any clarification would be appreciated.

 

Now onto the potential bug: I discovered that in a config with thousands of lines excludes were not working as expected. Specifically it seems that in excludes for registry SetValue events the <User> directive is not working.

 

I've built a stripped down config that can be used for reproduction (using Sysmon 15.14):

 

<Sysmon schemaversion="4.90">
	<HashAlgorithms>*</HashAlgorithms>
	<CheckRevocation>False</CheckRevocation>
	<DnsLookup>False</DnsLookup>
	<ArchiveDirectory>Sysmon</ArchiveDirectory>
	<EventFiltering>

		<ProcessCreate onmatch="include">
		</ProcessCreate>
		<ProcessTerminate onmatch="include">
		</ProcessTerminate>

		<RegistryEvent onmatch="include">
			<TargetObject condition="begin with">HKLM\SOFTWARE\aaa_sysmon_debug</TargetObject>
		</RegistryEvent>
		<RegistryEvent onmatch="exclude">
			<Rule groupRelation="and">
				<TargetObject condition="begin with">HKLM\SOFTWARE\aaa_sysmon_debug</TargetObject>
				<User condition="is">DOMAIN\my.username</User>
			</Rule>
		</RegistryEvent>
	</EventFiltering>
</Sysmon>

 

Note the <User> Element which should cause events caused by the specified user to be excluded.

However: This only seems to work for the Deletion Event. The creation event is logged despite the exclude.

 

My test case is to generate a new string under the HKLM\SOFTWARE\aaa_sysmon_debug\ Key and delete it afterwards.

 

Observations:

  1. When the <User> line is removed from the config, no event is generated (expected)
  2. When the username in the <User> line is changed to any random name, two events are generated (expected)
  3. When the username in the <User> line is set to my actual user, one event is generated: The SetValue event is generated, even if it should be excluded

Output from the debug mode for case 2:

 

Event SYSMONEVENT_REG_SETVALUE
        RuleName: -
        EventType: SetValue
        UtcTime: 2024-05-16 17:15:08.420
        ProcessGuid: {82F11355-3420-6646-728A-000000001B01}
        ProcessId: 38896
        Image: C:\Windows\regedit.exe
        TargetObject: HKLM\SOFTWARE\aaa_sysmon_debug\Neuer Wert #1
        Details: Binary Data
        User: DOMAIN\my.username
Event SYSMONEVENT_REG_KEY
        RuleName: -
        EventType: DeleteValue
        UtcTime: 2024-05-16 17:15:12.446
        ProcessGuid: {82F11355-3420-6646-728A-000000001B01}
        ProcessId: 38896
        Image: C:\Windows\regedit.exe
        TargetObject: HKLM\SOFTWARE\aaa_sysmon_debug\Neuer Wert #1
        User: DOMAIN\my.username

 

Output from the debug mode for case 3:

 

Event SYSMONEVENT_REG_SETVALUE
        RuleName: -
        EventType: SetValue
        UtcTime: 2024-05-16 17:16:22.455
        ProcessGuid: {82F11355-3420-6646-728A-000000001B01}
        ProcessId: 38896
        Image: C:\Windows\regedit.exe
        TargetObject: HKLM\SOFTWARE\aaa_sysmon_debug\Neuer Wert #1
        Details: (Empty)
        User: DOMAIN\my.username

 

This is the output of sysmon -c (which seems to be correct):

 

System Monitor v15.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon
 - Driver name:                   SysmonDrv
 - Config file:                   redacted\sysmon_ext_v1_debug.xml
 - Config hash:                   SHA256=53DF681F6AD59D2F0F7DC5E4923A02B756D2DA6BFB98CC5389E0B0EDE2A4C893

 - HashingAlgorithms:             SHA1,MD5,SHA256,IMPHASH
 - Network connection:            disabled
 - Archive Directory:             -
 - Image loading:                 disabled
 - CRL checking:                  disabled
 - DNS lookup:                    disabled

Rule configuration (version 4.90):
 - ProcessCreate                      onmatch: include   combine rules using 'And'
 - ProcessTerminate                   onmatch: include   combine rules using 'And'
 - RegistryEvent                      onmatch: include   combine rules using 'And'
        TargetObject                   filter: begin with   value: 'HKLM\SOFTWARE\aaa_sysmon_debug'
 - RegistryEvent                      onmatch: exclude   combine rules using 'And'
        Compound Rule 0001   combine using And
            TargetObject                   filter: begin with   value: 'HKLM\SOFTWARE\aaa_sysmon_debug'
            User                           filter: is           value: 'DOMAIN\my.username'

 

Is this an issue in sysmon or is my configuration faulty?