Sysmon Driver Unload via fltMC.exe

Attackers may attempt to disable or uninstall security tools like Sysmon to evade detection and hide malicious activities on a compromised system. This is achieved by unloading the Sysmon filter driver using fltMC.exe, a legitimate Windows utility. Once Sysmon is disabled, adversaries can execute further attacks without being logged, potentially leading to data breaches, privilege escalation, or persistent access within the environment. This technique is significant because it directly impacts the visibility and effectiveness of security monitoring.

Attack Chain

1. The attacker gains initial access to the system through various means (e.g., compromised credentials, exploiting vulnerabilities, or social engineering).
2. The attacker escalates privileges if necessary to gain administrative rights on the system.
3. The attacker uses fltMC.exe to unload the Sysmon filter driver (SysmonDrv). The command executed is typically fltMC.exe unload SysmonDrv.
4. The operating system processes the fltMC.exe command, removing the Sysmon filter driver from the system.
5. Sysmon ceases to collect event data as its driver is no longer active.
6. The attacker executes malicious commands, scripts, or binaries without being logged by Sysmon.
7. The attacker establishes persistence, moves laterally, exfiltrates data, or achieves other objectives without Sysmon alerting.

Impact

Successful unloading of the Sysmon driver allows attackers to operate without being detected by Sysmon. This can lead to a complete loss of visibility into attacker activities, enabling data breaches, privilege escalation, and persistent access. The impact is significant as it directly undermines the effectiveness of security monitoring and incident response capabilities.

Recommendation

• Deploy the Sigma rule Sysmon Driver Unload via FltMC.exe to detect the execution of fltMC.exe with the unload and SysmonDrv parameters.
• Enable Sysmon process creation logging (Event ID 1) to ensure the required data is available for detection.
• Investigate any instances of fltMC.exe being used to unload drivers, especially if the parent process is suspicious.
• Consider implementing host-based intrusion prevention system (HIPS) rules to prevent the execution of fltMC.exe or restrict its usage to authorized administrators.