Feature/rm submodule (#312)
* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
GitHub
32
rules/sigma/sysmon/sysmon_config_modification_error.yml
Normal file
32
rules/sigma/sysmon/sysmon_config_modification_error.yml
Normal file
@@ -0,0 +1,32 @@
|
||||
|
||||
title: Sysmon Configuration Error
|
||||
ruletype: Sigma
|
||||
author: frack113
|
||||
date: 2021/06/04
|
||||
description: Someone try to hide from Sysmon
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 255
|
||||
SELECTION_2:
|
||||
Description:
|
||||
- '*Failed to open service configuration with error*'
|
||||
- '*Failed to connect to the driver to update configuration*'
|
||||
SELECTION_3:
|
||||
Description: 'Failed to open service configuration with error 19 - Last error:
|
||||
The media is write protected.'
|
||||
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
|
||||
falsepositives:
|
||||
- legitimate administrative action
|
||||
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
|
||||
level: high
|
||||
logsource:
|
||||
category: sysmon_error
|
||||
product: windows
|
||||
modified: 2021/12/02
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
|
||||
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1564
|
||||
Reference in New Issue
Block a user