LoFP / legitimate administrators might use this command to remove sysmon for debugging purposes

Techniques

• t1562
• t1562.001

Sample rules

Uninstall Sysinternals Sysmon

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: -u
selection_pe:
- Image|endswith:
  - \Sysmon64.exe
  - \Sysmon.exe
- Description: System activity monitor