Techniques
Sample rules
Sysmon Driver Altitude Change
- source: sigma
- technicques:
- t1685
Description
Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
Detection logic
condition: selection
selection:
TargetObject|contains: \Services\
TargetObject|endswith: \Instances\Sysmon Instance\Altitude