HackTool - SharpEvtMute Execution

Jan 1, 2024 · attack.defense_evasion attack.t1562.002 ·

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

Sigma rule (View on GitHub)

 1title: HackTool - SharpEvtMute Execution
 2id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
 3related:
 4    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
 5      type: similar
 6status: test
 7description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
 8references:
 9    - https://github.com/bats3c/EvtMute
10author: Florian Roth (Nextron Systems)
11date: 2022/09/07
12modified: 2023/02/14
13tags:
14    - attack.defense_evasion
15    - attack.t1562.002
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection:
21        - Image|endswith: '\SharpEvtMute.exe'
22        - Description: 'SharpEvtMute'
23        - CommandLine|contains:
24              - '--Filter "rule '
25              - '--Encoded --Filter \"'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

GitHub - bats3c/EvtMute: Apply a filter to the events being reported by windows event logging

Apply a filter to the events being reported by windows event logging - bats3c/EvtMute

Read More

HackTool - SharpEvtMute Execution

Sigma rule (View on GitHub)

References

GitHub - bats3c/EvtMute: Apply a filter to the events being reported by windows event logging

Related rules