Sysmon not logging all process creation events (Calculator and other sandboxed apps)

Posted on in security
   Leave a reply

Sysmon

System Monitor or Sysmon is a Windows system service and device driver that provides event data on process creation, network connections and file alterations. It is one of the most powerful tools available for security monitoring and gives detailed insight on what is happening on an endpoint.

Sysmon can be started from the command line, with a specific set of modules and processes to monitor but will in most cases be installed as a service and configured via an XML configuration file. These XML configuration files can be fairly complex and might scare potential users. To get started with Sysmon, a lot of administrators will use the configuration file provided by SwiftOnSecurity : sysmonconfig-export.xml.

Process creation. And Windows Calculator

Sysmon tracks process creation via Event ID 1. One of the obvious cases to test if logging of process execution works is by launching the Windows Calculator. However, if you do this on Windows 10 with the default SwiftOnSecurity Sysmon configuration file then you’ll be in for a surprise. The start of the calculator will not be recorded.

Why?

One of the exclusion for the process creation event is for the IntegrityLevel set to AppContainer, basically exclude the logging of process execution of Windows sandboxed processes. 

<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Windows: Don't care about sandboxed processes right now. Will need to revisit this decision.-->

Whether or not this is a good thing is up to you to decide (take into account the relative minimal extra log entries these events will likely cause). But, if you want to keep track of the launch of sandboxed applications, then you will have to comment that line.

If you want to know more about the security features of IntegrityLevels, then read Integrity Levels and DLL Injection.

Sysmon isn’t your only source

If you cannot install Sysmon and would still like to track process creation then you can fall-back to Windows Security Auditing. The Event ID 4688 gives similar results as Sysmon Event ID 1. By default, process tracking is not enabled, you need to do this via the Group Policy Editor (Audit Process Tracking).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.