> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver.md).

# Unloading Sysmon Driver

## Execution

{% code title="attacker\@victim" %}

```
fltMC.exe unload SysmonDrv
```

{% endcode %}

![](/files/-LMENYs7FgCCrjOy2R6B)

## Observations

Windows event logs suggesting `SysmonDrv` was unloaded successfully:

![](/files/-LMEN_eOBU33IuE-WxMB)

As well as processes requesting special privileges:

![](/files/-LMENcwj6SVLspxcrDiA)

Note how in the last 35 minutes since the driver was unloaded, no further process creation events were recorded, although I spawned new processes during that time:

![](/files/-LMEOphHDD-ddK5t1gx2)

Note how the system thinks that the sysmon is still running, which it is, but not doing anything useful:

![](/files/-LMEPZvScb3EE7uSCyF3)

## References

{% embed url="<https://twitter.com/Moti_B/status/1019307375847723008>" %}
