← Back to SOC feed Coverage →

Sysmon Driver Altitude Change

sigma HIGH SigmaHQ
T1685
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-25T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Detection Rule

Sigma (Original)

title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
    Detects changes in Sysmon driver altitude value.
    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
    - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
    - https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
    condition: selection
falsepositives:
    - Legitimate driver altitude change to hide sysmon
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml