Sysmon - suspicious process

[Daniel D'Angeli]

Hi,

we have installed Sysmon on a couple of Windows machine and since then we receive very frequently alerts for rules 61638 61618 for svchost.exe, dllhost.exe etc.

I checked the rule and it seems simply that whenever one of taskhost.exe, ddlhost.exe, svchost.exe, lsm.exe, csrss.exe, lsass.exe, winlogon.exe, wininit.exe, smss.exe or services.exe gets executed in a new process, Wazuh determines them as malicious.

May i get an explanation why? Its quite noisy since those executables are part of Windows and get used very often.

Also, apart from disabling those rules is there an alternative to reduce the noise?

Regards,

Daniel D.

[Cedrick Foko]

Hi Daniel,

Thank you for using Wazuh!

It seems that Sysmon services cause a lot of false positives with Wazuh because of sysmon event decoders and rules.

Since this happens for a lot of different services and we are sure they are false positives, I would recommend overwriting the rule with level 0, so you won't receive noisy alerts anymore.

I hope this helps. Please don't hesitate to ask if you have any other question.

Cedrick

[Daniel D'Angeli]

Hi,

thanks for the clarification. Are there any plans to improve this kind of detection? It is quite an important and useful one.

Regards,

Daniel D.

[Cedrick Foko]

Hello Daniel, 

Basically, the false positive alerts here are caused by the sysmon rules triggering events. The rules and decoders are being enhanced every day to improve the detection process.

I hope this clarifies. Please let me know if you have any other question.