fix

rules/windows/process_creation/win_sysmon_driver_unload.yml

@@ -1,23 +0,0 @@
-title: Sysmon driver unload
-status: experimental
-author: Kirill Kiryanov, oscd.community
-description: Detect possible shutdown Sysmon
-references: 
-  - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
-fields:
-  - CommandLine
-  - Details
-falsepositives: Unknown
-level: medium
-logsource:
-  product: windows
-  service: security
-detection:
-  selection:
-    EventID: 4688
-    ProcessName: '*\fltMC.exe'
-    CommandLine: '*unload*Sys*'
-  selection1:
-    EventID: 4673
-    PrivilegeList: '*\SeLoadDriverPrivilege'
-  condition: selection and selection1