title: Disable Sysmon
description: Detects disabling of the Sysmon driver or service.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
operating_system: windows
query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv")
  OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
false_positives: 
tags: