Sysmon 10.4 has been released and this is one I particularly was looking forward to ever since the release of version 9, which introduced the RuleGroups. At that time there was no real benefit apart from making it behave the way you need for the total set of EventTypes.

This release packs a few refinements to this approach, and trust me you'll probably love them as much as I do! Don’t get fooled by the seemingly small uptick in version numbering, it's a huge improvement.

So for the quick TL;DR, The schema has been updated to 4.22, here is the new schema

This version adds; new filter options "contains any" and "contains all" and most significantly the option to add sub-rules to a rule group allowing you to make multiple AND/OR statement.

First the filters, these are super useful, and allow for a lot of flexibility as well as a form of basic regex-ing in for instance command lines like the one below.

Image for post
Image for post
Contains all example, separated by a ;

This way you are able to state all variables should be there, but the order now does not matter anymore. The same is the case for the contains any, which basically allows for a way to make sure you're able to cover variant combinations.

Image for post
Image for post
Contains any example, separated by a ;

Adding that option is great since you wouldn't be able to make it into an and set with 2 individual OriginalFileName statements.

And as you probably have seen in the above examples already the <Rule> is a new node within the configuration.

The groupRelation field works the same as it did for the RuleGroups, allowing you to define either AND or OR, but now as many times as you want within the RuleGroup! This is great, it allows you to filter more accurately without compromising detection and also allows you to monitor more events which were waaay to noisy before.

The name field is optional and will not do anything to the output to the logging, I use it for making it a bit more readable in a large configuration file. Trust me that will help you out later :)

I have been working on updating my Sysmon-modular repository for this release, it's still under development but a significant part has been reworked already. These new features will demand a modular approach in my opinion in order not to get lost.

Image for post
Image for post
Sysmon-modular v10.4 branch

At the time of writing I am still working on getting the merge script to work, this change in the schema is quite the challenge on the backend, so bare with me there. I'll add a manually generated complete version later today in order for everyone to play with.

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store