Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
38 lines
1.0 KiB
YAML
38 lines
1.0 KiB
YAML
action: global
|
|
title: Sysmon Configuration Modification
|
|
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
|
|
description: Someone try to hide from Sysmon
|
|
status: experimental
|
|
author: frack113
|
|
date: 2021/06/04
|
|
modified: 2021/06/16
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
|
|
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1564
|
|
falsepositives:
|
|
- legitimate administrative action
|
|
level: high
|
|
---
|
|
logsource:
|
|
product: windows
|
|
category: sysmon_status
|
|
detection:
|
|
selection_stop:
|
|
State: Stopped
|
|
selection_conf:
|
|
- 'Sysmon config state changed'
|
|
condition: selection_stop or selection_conf
|
|
---
|
|
logsource:
|
|
product: windows
|
|
category: sysmon_error
|
|
detection:
|
|
selection_error:
|
|
Description|contains:
|
|
- 'Failed to open service configuration with error'
|
|
- 'Failed to connect to the driver to update configuration'
|
|
condition: selection_error
|