frack113
35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: SysmonEnte Usage
|
|
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
|
|
status: experimental
|
|
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
|
|
references:
|
|
- https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
|
|
- https://github.com/codewhitesec/SysmonEnte/
|
|
- https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
|
|
author: Florian Roth
|
|
date: 2022/09/07
|
|
modified: 2022/09/09
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1562.002
|
|
logsource:
|
|
category: process_access
|
|
product: windows
|
|
detection:
|
|
selection_1:
|
|
TargetImage: 'C:\Windows\Sysmon64.exe'
|
|
GrantedAccess: '0x1400'
|
|
filter_1:
|
|
SourceImage|startswith:
|
|
- 'C:\Program Files'
|
|
- 'C:\Windows\System32\'
|
|
filter_msdefender:
|
|
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
|
|
SourceImage|endswith: '\MsMpEng.exe'
|
|
selection_calltrace:
|
|
CallTrace: 'Ente'
|
|
condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|