Detectionhightest
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 02Updated Thu Aug 179f4662ac-17ca-43aa-8f12-5d7b989d0101windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|contains:
- '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
- '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
- '\Sophos\SAVService\TamperProtection\Enabled'
Details: DWORD (0x00000000)
condition: selectionFalse Positives
Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
9f4662ac-17ca-43aa-8f12-5d7b989d0101
Status
test
Level
high
Type
Detection
Created
Fri Sep 02
Modified
Thu Aug 17
Path
rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml
Raw Tags
attack.defense-evasionattack.t1562.001