frack113
020fc8061f
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
34 lines
1.3 KiB
YAML
34 lines
1.3 KiB
YAML
title: Sysmon Configuration Error
|
|
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
|
|
status: test
|
|
description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
|
|
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
|
|
author: frack113
|
|
date: 2021/06/04
|
|
modified: 2022/07/07
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1564
|
|
logsource:
|
|
product: windows
|
|
category: sysmon_error
|
|
detection:
|
|
selection_error:
|
|
Description|contains:
|
|
- 'Failed to open service configuration with error'
|
|
- 'Failed to connect to the driver to update configuration'
|
|
filter_generic_english:
|
|
Description|contains|all:
|
|
- 'Failed to open service configuration with error'
|
|
- 'Last error: The media is write protected.'
|
|
filter_by_errorcode:
|
|
Description|contains:
|
|
- 'Failed to open service configuration with error 19'
|
|
- 'Failed to open service configuration with error 93'
|
|
condition: selection_error and not 1 of filter*
|
|
falsepositives:
|
|
- Legitimate administrative action
|
|
level: high
|