| description |
|---|
Unload sysmon driver which causes the system to stop recording sysmon event logs. |
{% code-tabs %} {% code-tabs-item title="attacker@victim" %}
fltMC.exe unload SysmonDrv
{% endcode-tabs-item %} {% endcode-tabs %}
Windows event logs suggesting SysmonDrv was unloaded successfully:
As well as processes requesting special privileges:
Note how in the last 35 minutes since the driver was unloaded, no further process creation events were recorded, although I spawned new processes during that time:
Note how the system thinks that the sysmon is still running, which it is, but not doing anything useful:
{% embed url="https://twitter.com/Moti\_B/status/1019307375847723008" %}