sigmahighHunting

Tamper With Sophos AV Registry Keys

Detects tamper attempts to sophos av functionality via registry key modification

MITRE ATT&CK

Detection Query

selection:
  TargetObject|contains:
    - \Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled
    - \Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled
    - \Sophos\SAVService\TamperProtection\Enabled
  Details: DWORD (0x00000000)
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-02

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Tags

attack.defense-impairmentattack.t1685

Raw Content

title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
            - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
            - '\Sophos\SAVService\TamperProtection\Enabled'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high