Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Sigma rule (View on GitHub)
1title: Sysmon Configuration Change
2id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
3status: test
4description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
7author: frack113
8date: 2022-01-12
9tags:
10 - attack.defense-evasion
11logsource:
12 product: windows
13 service: sysmon
14detection:
15 selection:
16 EventID: 16
17 # To avoid FP just add
18 # filter:
19 # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
20 # condition: selection and not filter
21 condition: selection
22falsepositives:
23 - Legitimate administrative action
24level: medium
25regression_tests_path: regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml
References
Related rules
- Add SafeBoot Keys Via Reg Utility
- Allow RDP Remote Assistance Feature
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Certificate Exported Via Certutil.EXE