For the complete documentation index, see llms.txt. This page is also available as Markdown.
Unloading Sysmon Driver
Unload sysmon driver which causes the system to stop recording sysmon event logs.
Execution
attacker@victim
fltMC.exe unload SysmonDrv
Observations
Windows event logs suggesting SysmonDrv was unloaded successfully:
As well as processes requesting special privileges:
Note how in the last 35 minutes since the driver was unloaded, no further process creation events were recorded, although I spawned new processes during that time:
Note how the system thinks that the sysmon is still running, which it is, but not doing anything useful:
