← Library
sigmaDRL-1.1from SigmaHQ/sigma

Tamper With Sophos AV Registry Keys

Detects tamper attempts to sophos av functionality via registry key modification

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1562.001
Rule sourcerules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
            - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
            - '\Sophos\SAVService\TamperProtection\Enabled'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high