Sysmon Configuration Modification

 1title: Sysmon Configuration Modification
 2id: 1f2b5353-573f-4880-8e33-7d04dcf97744
 3status: test
 4description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 7    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
 8author: frack113
 9date: 2021-06-04
10modified: 2022-08-02
11tags:
12    - attack.defense-evasion
13    - attack.t1564
14logsource:
15    product: windows
16    category: sysmon_status
17detection:
18    selection_stop:
19        State: Stopped
20    selection_conf:
21        - 'Sysmon config state changed'
22    filter:
23        State: Started
24    condition: 1 of selection_* and not filter
25falsepositives:
26    - Legitimate administrative action
27level: high

References

• atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Killing Sysmon Silently

  

  Today I've got a mini-blog with commentary on what I view as a pretty nasty bug in Sysinternals' Sysmon. After reading Sysinternals Sysmon...

  
  Read More

Related rules

• Detect Virtualbox Driver Installation OR Starting Of VMs
• PUA - System Informer Execution
• Potentially Suspicious Execution From Parent Process In Public Folder
• Suspicious Creation with Colorcpl
• Suspicious Executable File Creation