Note: The collection sections of this report showcase specific log sources from Windows events, Sysmon, and elsewhere that you can use to collect relevant security information.
As we noted earlier, redundancy is your friend when it comes to monitoring for tool manipulation or disablement. If you’re reliant on Sysmon for visibility and an adversary revises your Sysmon configuration to evade it, then it’s good to have a backup plan in the form of Windows Event Logs or some other tool to observe the adversary’s behavior.
Endpoint Detection and Response (EDR)
Commercial EDR products provide a rich array of telemetry that can be used to observe, detect, and even prevent tool disablement. As an example, we commonly leverage EDR tooling to gain visibility into adversaries who are attempting to disable antivirus or other endpoint security controls. Unfortunately, we also observe adversaries attempting to kill EDR processes in order to evade analysis.
Windows Security Event ID 4688: A new process has been created
Insofar as you can track tool modification and disablement via process creation and command execution, Windows Security Event ID 4688 offers visibility into both, assuming you’ve configured it to capture command lines.
Sysmon Event ID 1: Process creation
Again, if the adversary is leveraging a process to disable a tool, then anything that logs Process creation is going to offer value—and Sysmon Event ID 1 does just that.
Sysmon Event ID 5: Process terminated
As disabling a tool commonly involves an adversary actively terminating processes, tracking process termination events may offer important visibility into adversaries as they disable security tools. Sysmon Event ID 5, depending on how you configure it, will capture a record of every process termination.
Sysmon Event ID 11: FileCreate
Sysmon Event ID 11 tracks whenever a file is created or overwritten, offering defenders a way of keeping track of configuration files for certain security tools. That said, configuring this properly—and, in particular, setting the right exclusions—is crucial, as tracking file creation events can get extremely noisy.
Sysmon Event ID 16: ServiceConfigurationChange
Sysmon Event ID 16 tracks changes to your Sysmon configuration, and will create a record anytime anyone modifies your Sysmon configuration.