Techniques
Sample rules
Sysmon Configuration Update
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects updates to Sysmon’s configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: -c
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: System activity monitor