Detection rules › Sigma
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4657 | A registry value was modified. |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: 1 of selection1
or:
ObjectName|contains: 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectName|contains: 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
NewValue: 0
ObjectValueName: Enabled
Stage 2: 1 of selection2
or:
ObjectName|contains: 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectName|contains: 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
AccessMask: 0x10000
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AccessMask | eq |
|
NewValue | eq |
|
ObjectName | match |
|
ObjectValueName | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- Processes Accessing the Microphone and Webcam
- LSASS Access From Non System Account
- WCE wceaux.dll Access
- Potential Secure Deletion with SDelete
- Potentially Suspicious AccessMask Requested From LSASS
- SysKey Registry Keys Access
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.