Skip to content
Threat Feed
medium advisory

Detection of Sysmon Configuration Updates for Defense Evasion

This brief describes how to detect an attacker updating or replacing the Sysmon configuration with a bare bones one to avoid monitoring without completely shutting down the service, leveraging Sysmon's `-c` command-line option for defense impairment.

This brief highlights a defense evasion technique involving the modification of Sysmon's configuration. Attackers, likely operating in the post-exploitation phase, may seek to update or replace a running Sysmon's configuration to limit its monitoring capabilities without completely stopping the service. By using the Sysmon executable (e.g., Sysmon64.exe or Sysmon.exe) with the -c command-line switch, adversaries can deploy a stripped-down configuration file that ignores critical process creations, network connections, or file modifications. This tactic allows them to operate with reduced visibility, avoiding detection mechanisms that rely on Sysmon telemetry. This technique is often seen in targeted attacks where adversaries aim to maintain persistence and execute malicious actions stealthily. The scope of targeting is broad, as Sysmon is a widely deployed endpoint monitoring solution across various environments.

Impact

Successful implementation of this technique leads to a significant degradation of an organization's endpoint visibility and detection capabilities. By manipulating Sysmon's configuration, attackers can effectively blind security operations teams to their subsequent malicious activities, including privilege escalation, lateral movement, and data exfiltration. This impairment allows adversaries to operate undetected, potentially leading to prolonged dwell times and increased data compromise or system damage. While no specific victim count is available for this particular technique, its impact is severe across any sector relying on Sysmon for critical endpoint telemetry, making it a high-priority detection scenario for all Windows environments.

Recommendation

  • Deploy the Sigma rule "Sysmon Configuration Update Detection" provided in this brief to your SIEM and tune for your environment.
  • Ensure Sysmon is correctly installed and configured to log process_creation events, which are essential for the detection rule above.
  • Implement robust change management and integrity monitoring for Sysmon configuration files to detect unauthorized modifications.

Detection coverage 1

Sysmon Configuration Update Detection

medium

Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely.

sigma tactics: defense_evasion sources: process_creation, windows

Detection queries are available on the platform. Get full rules →