Sysmon Driver Unloaded Via Fltmc.EXE

calendar Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1070 attack.t1685 attack.t1685.001  ·
Share on: linkedin copy

Detects possible Sysmon filter driver unloaded via fltmc.exe

Sigma rule (View on GitHub)

 1title: Sysmon Driver Unloaded Via Fltmc.EXE
 2id: 4d7cda18-1b12-4e52-b45c-d28653210df8
 3related:
 4    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
 5      type: similar
 6status: test
 7description: Detects possible Sysmon filter driver unloaded via fltmc.exe
 8references:
 9    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10author: Kirill Kiryanov, oscd.community
11date: 2019-10-23
12modified: 2023-02-13
13tags:
14    - attack.stealth
15    - attack.defense-impairment
16    - attack.t1070
17    - attack.t1685
18    - attack.t1685.001
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith: '\fltMC.exe'
25        - OriginalFileName: 'fltMC.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'unload'
29            - 'sysmon'
30    condition: all of selection_*
31falsepositives:
32    - Unlikely
33level: high

References

Related rules

to-top