Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Sigma rule (View on GitHub)
1title: Sysmon Channel Reference Deletion
2id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
3status: test
4description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
5references:
6 - https://twitter.com/Flangvik/status/1283054508084473861
7 - https://twitter.com/SecurityJosh/status/1283027365770276866
8 - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
9 - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020/07/14
12modified: 2022/10/05
13tags:
14 - attack.defense_evasion
15 - attack.t1112
16logsource:
17 product: windows
18 service: security
19detection:
20 selection1:
21 EventID: 4657
22 ObjectName|contains:
23 - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
24 - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
25 ObjectValueName: 'Enabled'
26 NewValue: 0
27 selection2:
28 EventID: 4663
29 ObjectName|contains:
30 - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
31 - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
32 AccessMask: 0x10000
33 condition: 1 of selection*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Secure Deletion with SDelete
- Unauthorized System Time Modification
- Disable Security Tools
- Hidden User Creation
- Auditing Configuration Changes on Linux Host