detection.wiki

Detection rules › Sigma

Tamper With Sophos AV Registry Keys

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects tamper attempts to sophos av functionality via registry key modification

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|contains: '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
TargetObject|contains: '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
TargetObject|contains: '\Sophos\SAVService\TamperProtection\Enabled'
Details: 'DWORD (0x00000000)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000000) corpus 38 (sigma 38)
TargetObjectmatch
  • \Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled
  • \Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled
  • \Sophos\SAVService\TamperProtection\Enabled