Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Sigma rule (View on GitHub)
1title: Sysmon Configuration Change
2id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
3status: test
4description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
5references:
6 - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
7author: frack113
8date: 2022/01/12
9tags:
10 - attack.defense_evasion
11logsource:
12 product: windows
13 service: sysmon
14detection:
15 selection:
16 EventID: 16
17 # To avoid FP just add
18 # filter:
19 # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
20 # condition: selection and not filter
21 condition: selection
22falsepositives:
23 - Legitimate administrative action
24level: medium
References
Related rules
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Disable Windows Defender AV Security Monitoring
- Disable of ETW Trace