Sysmon Configuration Change

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Sigma rule (View on GitHub)

 1title: Sysmon Configuration Change
 2id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
 3status: test
 4description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
 7author: frack113
 8date: 2022-01-12
 9tags:
10    - attack.defense-evasion
11logsource:
12    product: windows
13    service: sysmon
14detection:
15    selection:
16        EventID: 16
17    # To avoid FP just add
18    # filter:
19    #      ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
20    # condition: selection and not filter
21    condition: selection
22falsepositives:
23    - Legitimate administrative action
24level: medium

References

Related rules

to-top