Issues with CommadnLine conditions "Testing Line Dllhost.exe exclusion" #74
Comments
|
I'm sorry can you provide the complete line you're testing? |
|
I'm new to working with Sysmon and I'm interested in this too. |
|
Sorry, I have been away for a few days. Upgraded to 10.2 with same issues.
|
|
This is excluded, note the section starting process on match = exclude
…On Thu, 13 Jun 2019, 23:51 ClintRajaniemi, ***@***.***> wrote:
I'm new to working with Sysmon and I'm interested in this too.
This is under Event ID 1 section. I've grabbed a few extra lines for
context.
<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
<ProcessCreate onmatch="exclude">
<!--SECTION: Microsoft Windows-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#74?email_source=notifications&email_token=AAWYQ3DK6TAY3M6P3TIOO73P2LFPZA5CNFSM4HWERGB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXVHZBI#issuecomment-501906565>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAWYQ3A6YRNRGNQ754PEWSDP2LFPZANCNFSM4HWERGBQ>
.
|
|
That will depend on your config, are you logging cnd.exe events if so ut
will log this. To answer your question, please pist config if you can.
…On Sat, 8 Jun 2019, 07:36 johnyb0312, ***@***.***> wrote:
Any:
Trying to understand config fully.
Under ProcessCreate onmatch='exclude' I expect that all processes created
on the system running sysmon to be logged except what we specify in the
stanza's below.
Line 76: C:\Windows\system32\DllHost.exe /Processid
When the system creates a service using DLLHost.exe from system32 the
system "does not" log the event. This is expected.
When I attempt to invoke the process interactively from "cmd.exe" the
system logs the event.
Can someone explain why this is and what I need to do to test this rule
interactively or explain why I cannot?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#74?email_source=notifications&email_token=AAWYQ3D6OICYAG5STLC677TPZNHPJA5CNFSM4HWERGB2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GYL37GA>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAWYQ3C2EGJTLDIV5R3RA53PZNHPJANCNFSM4HWERGBQ>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any:
Trying to understand config fully.
Under ProcessCreate onmatch='exclude' I expect that all processes created on the system running sysmon to be logged except what we specify in the stanza's below.
Line 76: C:\Windows\system32\DllHost.exe /Processid
When the system creates a service using DLLHost.exe from system32 the system "does not" log the event. This is expected.
When I attempt to invoke the process interactively from "cmd.exe" the system logs the event.
Can someone explain why this is and what I need to do to test this rule interactively or explain why I cannot?
The text was updated successfully, but these errors were encountered: