Detectionhightest

Sysmon Configuration Modification

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Fri Jun 04Updated Tue Aug 021f2b5353-573f-4880-8e33-7d04dcf97744windows

Log Source

Windowssysmon_status

ProductWindows← raw: windows

Categorysysmon_status← raw: sysmon_status

Detection Logic

detection:
    selection_stop:
        State: Stopped
    selection_conf:
        - 'Sysmon config state changed'
    filter:
        State: Started
    condition: 1 of selection_* and not filter

False Positives

Legitimate administrative action

References

Resolving title…

github.com

Resolving title…

talesfrominfosec.blogspot.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1564 · Hide Artifacts

Rule Metadata

Rule ID

1f2b5353-573f-4880-8e33-7d04dcf97744

Status

test

Level

high

Type

Detection

Created

Fri Jun 04

Modified

Tue Aug 02

Author

François Hubaut

Path

rules/windows/sysmon/sysmon_config_modification_status.yml

Raw Tags

attack.defense-evasionattack.t1564

View on GitHub