← Back to Explore
sigmahighHunting
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Detection Query
selection_error:
Description|contains:
- Failed to open service configuration with error
- Failed to connect to the driver to update configuration
filter_generic_english:
Description|contains|all:
- Failed to open service configuration with error
- "Last error: The media is write protected."
filter_by_errorcode:
Description|contains:
- Failed to open service configuration with error 19
- Failed to open service configuration with error 93
condition: selection_error and not 1 of filter*
Author
frack113
Created
2021-06-04
Data Sources
windowssysmon_error
Platforms
windows
References
Tags
attack.defense-evasionattack.t1564
Raw Content
title: Sysmon Configuration Error
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
status: test
description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-07-07
tags:
- attack.defense-evasion
- attack.t1564
logsource:
product: windows
category: sysmon_error
detection:
selection_error:
Description|contains:
- 'Failed to open service configuration with error'
- 'Failed to connect to the driver to update configuration'
filter_generic_english:
Description|contains|all:
- 'Failed to open service configuration with error'
- 'Last error: The media is write protected.'
filter_by_errorcode:
Description|contains:
- 'Failed to open service configuration with error 19'
- 'Failed to open service configuration with error 93'
condition: selection_error and not 1 of filter*
falsepositives:
- Legitimate administrative action
level: high