From 043e3f7ca69c38b37520d899421c3a21f10a8157 Mon Sep 17 00:00:00 2001
From: alexpetrov12 <allreadyparty@gmail.com>
Date: Wed, 23 Oct 2019 13:48:44 +0300
Subject: [PATCH] fix

---
 .../win_sysmon_driver_unload.yml              | 23 -------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_sysmon_driver_unload.yml

diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml
deleted file mode 100644
index e4f50987..00000000
--- a/rules/windows/process_creation/win_sysmon_driver_unload.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Sysmon driver unload
-status: experimental
-author: Kirill Kiryanov, oscd.community
-description: Detect possible shutdown Sysmon
-references: 
-  - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
-fields:
-  - CommandLine
-  - Details
-falsepositives: Unknown
-level: medium
-logsource:
-  product: windows
-  service: security
-detection:
-  selection:
-    EventID: 4688
-    ProcessName: '*\fltMC.exe'
-    CommandLine: '*unload*Sys*'
-  selection1:
-    EventID: 4673
-    PrivilegeList: '*\SeLoadDriverPrivilege'
-  condition: selection and selection1