← Library
sigmaDRL-1.1from SigmaHQ/sigma

Sysmon Driver Altitude Change

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1562.001
Rule sourcerules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml
title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
    Detects changes in Sysmon driver altitude value.
    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
    - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
    - https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
    condition: selection
falsepositives:
    - Legitimate driver altitude change to hide sysmon
level: high