Sysmon Driver Unloaded Via Fltmc.EXE

Detects possible Sysmon filter driver unloaded via fltmc.exe

Sigma rule (View on GitHub)

 1title: Sysmon Driver Unloaded Via Fltmc.EXE
 2id: 4d7cda18-1b12-4e52-b45c-d28653210df8
 3related:
 4    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
 5      type: similar
 6status: test
 7description: Detects possible Sysmon filter driver unloaded via fltmc.exe
 8references:
 9    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10author: Kirill Kiryanov, oscd.community
11date: 2019-10-23
12modified: 2023-02-13
13tags:
14    - attack.defense-evasion
15    - attack.t1070
16    - attack.t1562
17    - attack.t1562.002
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\fltMC.exe'
24        - OriginalFileName: 'fltMC.exe'
25    selection_cli:
26        CommandLine|contains|all:
27            - 'unload'
28            - 'sysmon'
29    condition: all of selection_*
30falsepositives:
31    - Unlikely
32level: high

References

Related rules

to-top