Sysmon Driver Altitude Change

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Sigma rule (View on GitHub)

 1title: Sysmon Driver Altitude Change
 2id: 4916a35e-bfc4-47d0-8e25-a003d7067061
 3status: experimental
 4description: |
 5    Detects changes in Sysmon driver altitude value.
 6    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.    
 7references:
 8    - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
 9    - https://youtu.be/zSihR3lTf7g
10author: B.Talebi
11date: 2022-07-28
12modified: 2024-03-25
13tags:
14    - attack.defense-evasion
15    - attack.t1562.001
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\Services\'
22        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
23    condition: selection
24falsepositives:
25    - Legitimate driver altitude change to hide sysmon
26level: high

References

Shhmon — Silencing Sysmon via Driver Unload

Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a…

Read More
YouTube

Share your videos with friends, family, and the world

Read More

Sysmon Driver Altitude Change

Sigma rule (View on GitHub)

References

Shhmon — Silencing Sysmon via Driver Unload

YouTube

Related rules