legitimate driver altitude change to hide sysmon

t1562
t1562.001
windows
sigma

Techniques

t1562
t1562.001

Sample rules

Sysmon Driver Altitude Change

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Detection logic

condition: selection
selection:
  TargetObject|contains: \Services\
  TargetObject|endswith: \Instances\Sysmon Instance\Altitude