← Back to Explore
sigmahighHunting
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Detection Query
selection_stop:
State: Stopped
selection_conf:
- Sysmon config state changed
filter:
State: Started
condition: 1 of selection_* and not filter
Author
frack113
Created
2021-06-04
Data Sources
windowssysmon_status
Platforms
windows
References
Tags
attack.defense-evasionattack.t1564
Raw Content
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
status: test
description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-08-02
tags:
- attack.defense-evasion
- attack.t1564
logsource:
product: windows
category: sysmon_status
detection:
selection_stop:
State: Stopped
selection_conf:
- 'Sysmon config state changed'
filter:
State: Started
condition: 1 of selection_* and not filter
falsepositives:
- Legitimate administrative action
level: high