Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@kondencuotas
About /?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
T1027: Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
T1099: Timestomping
T1096: Alternate Data Streams
T1158: Hidden Files
T1140: Encode/Decode Data with Certutil
Downloading Files with Certutil
T1045: Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
miscellaneous
Process Environment Block
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
Reversing Password Checking Routine
Powered by GitBook

Unloading Sysmon Driver

Unload sysmon driver which causes the system to stop recording sysmon event logs.

Execution

[email protected]
fltMC.exe unload SysmonDrv

Observations

Windows event logs suggesting SysmonDrv was unloaded successfully:

As well as processes requesting special privileges:

Note how in the last 35 minutes since the driver was unloaded, no further process creation events were recorded, although I spawned new processes during that time:

Note how the system thinks that the sysmon is still running, which it is, but not doing anything useful:

References

Previous
T1045: Packed Binaries
Next
Bypassing IDS Signatures with Simple Reverse Shells
Last updated Fri Oct 26 2018 13:03:36 GMT+0000 (UTC)
Contents
Execution
Observations
References