SigmaHQ/rules/windows/process_creation/win_sysmon_driver_unload.yml

title: Sysmon driver unload
status: experimental
author: Kirill Kiryanov, oscd.community
description: Detect possible shutdown Sysmon
date: 2019/10/23
references: 
  - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
fields:
  - CommandLine
  - Details
falsepositives: Unknown
level: high
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image: '*\fltMC.exe'
    CommandLine: '*unload*Sys*'
  condition: selection
add new rule1 2019-10-23 11:27:52 +00:00			`title: Sysmon driver unload`
			`status: experimental`
			`author: Kirill Kiryanov, oscd.community`
			`description: Detect possible shutdown Sysmon`
			`date: 2019/10/23`
			`references:`
			`- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon`
			`fields:`
			`- CommandLine`
			`- Details`
			`falsepositives: Unknown`
			`level: high`
			`logsource:`
			`product: windows`
			`category: process_creation`
			`detection:`
			`selection:`
			`Image: '*\fltMC.exe'`
			`CommandLine: 'unloadSys*'`
update win_sysmon_driver_unload 2019-10-23 12:41:14 +00:00			`condition: selection`