Detectionhightest
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssysmon_error
ProductWindows← raw: windows
Categorysysmon_error← raw: sysmon_error
Detection Logic
Detection Logic3 selectors
detection:
selection_error:
Description|contains:
- 'Failed to open service configuration with error'
- 'Failed to connect to the driver to update configuration'
filter_generic_english:
Description|contains|all:
- 'Failed to open service configuration with error'
- 'Last error: The media is write protected.'
filter_by_errorcode:
Description|contains:
- 'Failed to open service configuration with error 19'
- 'Failed to open service configuration with error 93'
condition: selection_error and not 1 of filter*False Positives
Legitimate administrative action
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
815cd91b-7dbc-4247-841a-d7dd1392b0a8
Status
test
Level
high
Type
Detection
Created
Fri Jun 04
Modified
Thu Jul 07
Author
Path
rules/windows/sysmon/sysmon_config_modification_error.yml
Raw Tags
attack.defense-evasionattack.t1564