Event ID 16 — ServiceConfigurationChange
Description
This event logs changes in the Sysmon configuration.
Message #
Fields #
| Name | Description |
|---|---|
UtcTime UnicodeString → string | Time in UTC when event was created |
Configuration UnicodeString → string | Name of the Sysmon config file being updated |
ConfigurationFileHash UnicodeString → string | Hash (SHA1) of the Sysmon config file being updated |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 16,
"version": 3,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:47:11.932399+00:00",
"event_record_id": 994662,
"correlation": {},
"execution": {
"process_id": 8688,
"thread_id": 13092
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"UtcTime": "2023-11-06 00:47:11.921",
"Configuration": "C:\\Users\\User\\Downloads\\Sysmon\\sysmonconfig-trace.xml",
"ConfigurationFileHash": "SHA256=43F367924B48AF65F121C0D369E7971C0757CC35D984C71887A5840987E154F9"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Hide Artifacts
1 rule
Community Notes #
May indicate an attacker attempting to reduce visibility prior to staging a payload.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Configuration Change source medium: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration