Unload Sysmon Filter Driver with fltmc.exe¶
Detect the unloading of the Sysinternals Sysmon filter driver via the unload command line parameter.
| id: | 1261d02a-ee99-4954-8404-8376a8d441b2 |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1089 Disabling Security Tools |
Note
The Sysmon driver can be installed with various service names. The analytic should be changed to reflect the installed service name if Sysmon is installed with a different name.
Query¶
process where subtype.create and
process_name == "fltmc.exe" and command_line == "* unload *sysmon*"