Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Sysmon Driver Altitude Change

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
B.TalebiCreated Thu Jul 28Updated Mon Mar 254916a35e-bfc4-47d0-8e25-a003d7067061windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
    condition: selection
False Positives

Legitimate driver altitude change to hide sysmon

References
1
Resolving title…
posts.specterops.io
2
Resolving title…
youtu.be
MITRE ATT&CK
Rule Metadata
Rule ID
4916a35e-bfc4-47d0-8e25-a003d7067061
Status
test
Level
high
Type
Detection
Created
Thu Jul 28
Modified
Mon Mar 25
Author
B.Talebi
Path
rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub