HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Sigma rule (View on GitHub)
1title: HackTool - SysmonEnte Execution
2id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
3status: test
4description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
5references:
6 - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
7 - https://github.com/codewhitesec/SysmonEnte/
8 - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
9author: Florian Roth (Nextron Systems)
10date: 2022/09/07
11modified: 2023/11/28
12tags:
13 - attack.defense_evasion
14 - attack.t1562.002
15logsource:
16 category: process_access
17 product: windows
18detection:
19 selection_sysmon:
20 TargetImage|contains:
21 - ':\Windows\Sysmon.exe'
22 - ':\Windows\Sysmon64.exe'
23 GrantedAccess: '0x1400'
24 selection_calltrace:
25 CallTrace: 'Ente'
26 filter_main_generic:
27 SourceImage|contains:
28 - ':\Program Files (x86)\'
29 - ':\Program Files\'
30 - ':\Windows\System32\'
31 - ':\Windows\SysWOW64\'
32 filter_main_msdefender:
33 SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
34 SourceImage|endswith: '\MsMpEng.exe'
35 condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
36falsepositives:
37 - Unknown
38level: high
References
-
In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attac...
Read More -
-
Related rules
- Potential NT API Stub Patching
- Suspicious Svchost Process Access
- Disable Windows IIS HTTP Logging
- Potential Suspicious Activity Using SeCEdit
- Potential EventLog File Location Tampering