From 3d9fe490aba948ea7e378a9ab736dee0865e5ef6 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Fri, 4 Jun 2021 11:27:15 +0200
Subject: [PATCH] Detect modification of sysmon configuration by sysmon

---
 .../sysmon/sysmon_config_modification.yml     | 30 +++++++++++++++++++
 tools/config/winlogbeat-modules-enabled.yml   |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml

diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml
new file mode 100644
index 000000000..9e2661feb
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_config_modification.yml
@@ -0,0 +1,30 @@
+title: Sysmon Configuration Modification
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+description: Someone try to hide from Sysmon
+status: experimental
+author: frack113
+date: 2021/06/04
+references:
+    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+tags:
+    - attack.defense_evasion
+    - attack.t1564
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_stop:
+        EventID: 4
+        State: Stopped
+    selection_conf:
+        EventID: 16
+        message|startswith:
+            - 'Sysmon config state changed'
+    selection_error:
+        EventID: 255
+        Description|contains:
+            - 'Failed to open service configuration with error'
+    condition: 1 of them
+falsepositives:
+    - legitimate administrative action
+level: high
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 25debf7d8..b0d068a2d 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -165,6 +165,7 @@ fieldmappings:
   src_port: source.port
   #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
   StartModule: winlog.event_data.StartModule
+  State: winlog.event_data.State
   Status: winlog.event_data.Status
   SubjectDomainName: user.domain
   SubjectUserName: user.name