security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/sysmon/sysmon_config_modification.yml
T
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00

25 lines
757 B
YAML
Raw Blame History

title: Sysmon Configuration Change
id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
status: experimental
author: frack113
date: 2022/01/12
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 16
# To avoid FP just add
# filter:
# ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
# condition: selection and not filter
condition: selection
falsepositives:
- Legitimate administrative action
level: medium
tags:
- attack.defense_evasion
Reference in New Issue View Git Blame Copy Permalink