Detect modification of sysmon configuration by sysmon

rules/windows/sysmon/sysmon_config_modification.yml

@@ -0,0 +1,30 @@
+title: Sysmon Configuration Modification
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+description: Someone try to hide from Sysmon
+status: experimental
+author: frack113
+date: 2021/06/04
+references:
+    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+tags:
+    - attack.defense_evasion
+    - attack.t1564
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_stop:
+        EventID: 4
+        State: Stopped
+    selection_conf:
+        EventID: 16
+        message|startswith:
+            - 'Sysmon config state changed'
+    selection_error:
+        EventID: 255
+        Description|contains:
+            - 'Failed to open service configuration with error'
+    condition: 1 of them
+falsepositives:
+    - legitimate administrative action
+level: high

tools/config/winlogbeat-modules-enabled.yml

@@ -165,6 +165,7 @@ fieldmappings:
   src_port: source.port
   #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
   StartModule: winlog.event_data.StartModule
+  State: winlog.event_data.State
   Status: winlog.event_data.Status
   SubjectDomainName: user.domain
   SubjectUserName: user.name