Neutering Sysmon via driver unload
Usage: Shhmon.exe <hunt|kill>
While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events. Shhmon locates and unloads the driver using this strategy:
1. Uses fltlib!FilterFindFirst
and fltlib!FilterFindNext
to enumerate drivers on the system in place of crawling the registry.
2a. If a driver is found at altitude 385201, it uses kernel32!OpenProcessToken
and advapi32!AdjustTokenPrivileges
to grant itself SeLoadDriverPrivilege
.
2b. If a driver was not found at 385201, it walks HKLM\SYSTEM\CurrentControlSet\Services
looking for a "Sysmon Instance" subkey and if found, assigns the required permission as described above.
3. If it was able get the required privilege, it calls fltlib!FilterUnload
to unload the driver.
There are a few interesting events surrounding this tactic that should be evaluated:
DriverCommunication
File System Filter '\<DriverName\>' (Version 0.0, \<Timstamp\>) unloaded successfully.
SeLoadDriverPrivileges
being granted to an account other than SYSTEM