Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Sigma rule (View on GitHub)
1title: Sysmon Channel Reference Deletion
2id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
3status: test
4description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
5references:
6 - https://twitter.com/Flangvik/status/1283054508084473861
7 - https://twitter.com/SecurityJosh/status/1283027365770276866
8 - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
9 - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020-07-14
12modified: 2025-10-22
13tags:
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1112
17logsource:
18 product: windows
19 service: security
20detection:
21 selection1:
22 EventID: 4657
23 ObjectName|contains:
24 - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
25 - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
26 ObjectValueName: 'Enabled'
27 NewValue: 0
28 selection2:
29 EventID: 4663
30 ObjectName|contains:
31 - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
32 - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
33 AccessMask: '0x10000'
34 condition: 1 of selection*
35falsepositives:
36 - Unknown
37level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
-
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird