Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Sigma rule (View on GitHub)
1title: Sysmon Configuration Error
2id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
3status: test
4description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
7 - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
8author: frack113
9date: 2021/06/04
10modified: 2022/07/07
11tags:
12 - attack.defense_evasion
13 - attack.t1564
14logsource:
15 product: windows
16 category: sysmon_error
17detection:
18 selection_error:
19 Description|contains:
20 - 'Failed to open service configuration with error'
21 - 'Failed to connect to the driver to update configuration'
22 filter_generic_english:
23 Description|contains|all:
24 - 'Failed to open service configuration with error'
25 - 'Last error: The media is write protected.'
26 filter_by_errorcode:
27 Description|contains:
28 - 'Failed to open service configuration with error 19'
29 - 'Failed to open service configuration with error 93'
30 condition: selection_error and not 1 of filter*
31falsepositives:
32 - Legitimate administrative action
33level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Today I've got a mini-blog with commentary on what I view as a pretty nasty bug in Sysinternals' Sysmon. After reading Sysinternals Sysmon...
Read More
Related rules
- Detect Virtualbox Driver Installation OR Starting Of VMs
- Parent in Public Folder Suspicious Process
- ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
- Suspicious Process Execution in PerfLogs Directory
- Sysmon Configuration Modification