Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Sigma rule (View on GitHub)
1title: Sysmon Configuration Update
2id: 87911521-7098-470b-a459-9a57fc80bdfd
3status: test
4description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-03-09
9modified: 2024-03-13
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_pe:
18 - Image|endswith:
19 - \Sysmon64.exe
20 - \Sysmon.exe
21 - Description: 'System activity monitor'
22 selection_cli:
23 CommandLine|contains|windash: '-c'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrators might use this command to update Sysmon configuration.
27level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility