Sysmon Driver Unloaded Via Fltmc.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Sysmon Driver Unloaded Via Fltmc.EXE | Standard | Windows | Defense Evasion: Impair Defenses (T1562),"Defense Evasion: Impair Defenses - Disable Windows Event Logging (T1562.002)","Defense Evasion: Indicator Removal (T1070)" | Trouble |
About the rule
Rule Type
Standard
Rule Description
Sysmon (System Monitor) is a critical security tool from the Microsoft Sysinternals suite, used to provide deep visibility into system activity for threat detection and incident response. Attackers may attempt to disable Sysmon and evade detection by unloading its driver using the fltMC.exe unload command. fltMC.exe is a legitimate Windows utility for managing filter drivers but can be abused by adversaries or malicious insiders to silently remove the Sysmon driver (SysmonDrv), effectively shutting down monitoring and creating blind spots for defenders.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Execution → Use of fltMC.exe to unload Sysmon driver → Defense evasion → Impact
Impact
- Defense evasion
- Loss of security visibility
- Malicious activity undetected
- Potential data theft or persistence
- Disruption of incident response
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\fltMC.exe" OR ORIGINALFILENAME = "fltMC.exe") AND (COMMANDLINE contains "unload" AND COMMANDLINE contains "sysmon") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Impair Defenses (T1562),"Defense Evasion: Impair Defenses - Disable Windows Event Logging (T1562.002)","Defense Evasion: Indicator Removal (T1070)"
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified that fltMC.exe has been used to unload the Sysmon driver, often a sign of attempted monitoring disablement. This enables you to review privileged process activity, investigate possible tampering by attackers, and respond quickly to restore security monitoring and assess the risk of undetected malicious actions.
Author
Kirill Kiryanov, oscd.community
Future actions
Known False Positives
This rule may trigger during legitimate maintenance activities, security troubleshooting, or authorized software updates that temporarily unload the Sysmon driver for compatibility or upgrade reasons. Always review event context, administrative activity, and change control records before escalating.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Tighten permissions for the use of fltMC.exe, restrict administrative access, and enhance detection analytics for similar attempts in the environment.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1047 | Audit | Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. |
M1038 | Execution Prevention | Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
M1022 |
| Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
M1024 |
| Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
M1054 | Software Configuration | Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.(Citation: Chromium HSTS) |
M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
M1041 | Encrypt Sensitive Information | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
M1029 | Remote Data Storage | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
