Add sysmon integ check feature addition

[ceramicskate0]

Based on POC at https://github.com/matterpreter/Shhmon an uploaded bad sysmon driver caused crash of sysmon. While IOCs are there the current integ check SWELF does may not by default find this. This shoul dbe built into app due to reliance on sysmon working. (SWELF will not fix or resolve issue but should alert when found per run).

IOCs to add to example Seachs.txt file and Sysmon Event ID 255 into application for sec_check():

• Sysmon Event ID 255 - Error message with a detail of DriverCommunication
• Windows System Event ID 1 - From the source "FilterManager" stating File System Filter '\<DriverName>' (Version 0.0, \<Timstamp>) unloaded successfully.
• Windows Security Event ID 4672 - SeLoadDriverPrivileges being granted to an account other than SYSTEM
• Sysmon Event ID 1/Windows Security Event 4688 - Abnormal high-integrity process correlating with the driver unload. This event woudl be the last before the driver error in Sysmon

[ceramicskate0]

Similar to issue https://github.com/ceramicskate0/SWELF/issues/88

[ceramicskate0]

(R&D) Notes for dev from github repo:

While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events. Shhmon locates and unloads the driver using this strategy:

1. Uses fltlib!FilterFindFirst and fltlib!FilterFindNext to enumerate drivers on the system in place of crawling the registry. 2a. If a driver is found at altitude 385201, it uses kernel32!OpenProcessToken and advapi32!AdjustTokenPrivileges to grant itself SeLoadDriverPrivilege. 2b. If a driver was not found at 385201, it walks HKLM\SYSTEM\CurrentControlSet\Services looking for a "Sysmon Instance" subkey and if found, assigns the required permission as desrcibed above.
2. If it was able get the required privilege, it calls fltlib!FilterUnload to unload the driver.

[ceramicskate0]

Issue to be addressed after my OSCP. Recommend adding some of the info above to searchs.txt in mean time. sysmon does create event for this that could be used to alert. All i plan to do is hard code detection of event into SWELF (NOT FIX IT FOR YOU).