Techniques
Sample rules
Sysmon Configuration Modification
- source: sigma
- technicques:
- t1564
Description
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Detection logic
condition: 1 of selection_* and not filter
filter:
State: Started
selection_conf:
- Sysmon config state changed
selection_stop:
State: Stopped
Sysmon Configuration Change
- source: sigma
- technicques:
Description
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Detection logic
condition: selection
selection:
EventID: 16
Sysmon Configuration Error
- source: sigma
- technicques:
- t1564
Description
Detects when an adversary is trying to hide it’s action from Sysmon logging based on error messages
Detection logic
condition: selection_error and not 1 of filter*
filter_by_errorcode:
Description|contains:
- Failed to open service configuration with error 19
- Failed to open service configuration with error 93
filter_generic_english:
Description|contains|all:
- Failed to open service configuration with error
- 'Last error: The media is write protected.'
selection_error:
Description|contains:
- Failed to open service configuration with error
- Failed to connect to the driver to update configuration