(YARA) YARA_Detect_SysmonUnload
rule SysmonEvasion
{
strings:
// Check for the LoadLibrary() function call
$load_library = "LoadLibrary"
// Check for the GetProcAddress() function call
$get_proc_address = "GetProcAddress"
// Check for the Unload() function call
$unload = "Unload"
// Check for the sysmondrv string
$sysmondrv = "sysmondrv"
condition:
// Check if all the required strings are present in the code
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Unloading Sysmon Driver | U0407 |
Created
December 7, 2022
Last Revised
December 7, 2022