Unloading Sysmon Driver
Unload sysmon driver which causes the system to stop recording sysmon event logs.
attacker@victim
fltMC.exe unload SysmonDrv
Windows event logs suggesting
SysmonDrv was unloaded successfully:
As well as processes requesting special privileges:
Note how in the last 35 minutes since the driver was unloaded, no further process creation events were recorded, although I spawned new processes during that time:
Note how the system thinks that the sysmon is still running, which it is, but not doing anything useful:
Last modified 4yr ago