2022-09-07 14:33:44 +02:00
|
|
|
title: SysmonEnte Usage
|
|
|
|
|
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
|
|
|
|
|
references:
|
2022-10-26 09:42:26 +02:00
|
|
|
- https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
|
|
|
|
|
- https://github.com/codewhitesec/SysmonEnte/
|
|
|
|
|
- https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
|
2023-02-01 11:14:59 +01:00
|
|
|
author: Florian Roth (Nextron Systems)
|
2022-09-07 14:33:44 +02:00
|
|
|
date: 2022/09/07
|
2022-09-09 13:51:20 +02:00
|
|
|
modified: 2022/09/09
|
2022-09-07 16:01:05 +02:00
|
|
|
tags:
|
2022-10-26 09:42:26 +02:00
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1562.002
|
2022-09-07 14:33:44 +02:00
|
|
|
logsource:
|
2022-10-26 09:42:26 +02:00
|
|
|
category: process_access
|
|
|
|
|
product: windows
|
2022-09-07 14:33:44 +02:00
|
|
|
detection:
|
2022-10-26 09:42:26 +02:00
|
|
|
selection_1:
|
|
|
|
|
TargetImage: 'C:\Windows\Sysmon64.exe'
|
|
|
|
|
GrantedAccess: '0x1400'
|
|
|
|
|
filter_1:
|
|
|
|
|
SourceImage|startswith:
|
|
|
|
|
- 'C:\Program Files'
|
|
|
|
|
- 'C:\Windows\System32\'
|
|
|
|
|
filter_msdefender:
|
|
|
|
|
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
|
|
|
|
|
SourceImage|endswith: '\MsMpEng.exe'
|
|
|
|
|
selection_calltrace:
|
|
|
|
|
CallTrace: 'Ente'
|
|
|
|
|
condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
|
2022-09-07 14:33:44 +02:00
|
|
|
falsepositives:
|
2022-10-26 09:42:26 +02:00
|
|
|
- Unknown
|
2022-09-07 14:33:44 +02:00
|
|
|
level: high
|
