Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
Sigma rule (View on GitHub)
1title: Tamper With Sophos AV Registry Keys
2id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
3status: test
4description: Detects tamper attempts to sophos av functionality via registry key modification
5references:
6 - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-02
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains:
19 - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
20 - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
21 - '\Sophos\SAVService\TamperProtection\Enabled'
22 Details: DWORD (0x00000000)
23 condition: selection
24falsepositives:
25 - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
26level: high
References
-
[redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. Learn how their cyber defense team responded.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility