Sysmon Driver Unloaded Via Fltmc.EXE

calendar Feb 16, 2023 · attack.defense_evasion attack.t1070 attack.t1562 attack.t1562.002  ·
Share on: linkedin copy

Detects possible Sysmon filter driver unloaded via fltmc.exe

Sigma rule (View on GitHub)

 1title: Sysmon Driver Unloaded Via Fltmc.EXE
 2id: 4d7cda18-1b12-4e52-b45c-d28653210df8
 3related:
 4    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
 5      type: similar
 6status: test
 7description: Detects possible Sysmon filter driver unloaded via fltmc.exe
 8references:
 9    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10author: Kirill Kiryanov, oscd.community
11date: 2019/10/23
12modified: 2023/02/13
13tags:
14    - attack.defense_evasion
15    - attack.t1070
16    - attack.t1562
17    - attack.t1562.002
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\fltMC.exe'
24        - OriginalFileName: 'fltMC.exe'
25    selection_cli:
26        CommandLine|contains|all:
27            - 'unload'
28            - 'sysmon'
29    condition: all of selection_*
30falsepositives:
31    - Unlikely
32level: high

References

  • Operating Offensively Against Sysmon

    Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is


    Read More

Related rules

to-top