Detectionhightest
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Tue Jul 14Updated Wed Oct 2218beca67-ab3e-4ee3-ba7a-a46ca8d7d0ccwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
selection1:
EventID: 4657
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: '0x10000'
condition: 1 of selection*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
Status
test
Level
high
Type
Detection
Created
Tue Jul 14
Modified
Wed Oct 22
Path
rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112