search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.79k stars 2.8k forks source link

Problem: T1562.001 Atomic Test #11 - Unload Sysmon Filter Driver --> Prereq test failed #2951

Open SirStephanikus opened 1 month ago

SirStephanikus commented 1 month ago

What did you do?

Invoke-AtomicTest T1562.001 -TestNumbers 11 -CheckPrereqs Does not find sysmon, despite being installed and active.

CLI: sc.exe query sysmon | findstr sysmon Does not find sysmon, despite being installed and active

What did you expect to happen?

Prereq test should find sysmon

Your Environment

Windows Server 2022 Standard, as an AD-DC. Run with privileged user.

I found the issue: ---> The Atomic test expects to find "sysmon", but it runs here as "sysmon64" (installed via chocolatey).

Proof:

Get-Service -Name Sysmon64

Status   Name               DisplayName
------   ----               -----------
Running  Sysmon64           Sysmon64
sc.exe query sysmon64 | findstr sysmon64

SERVICE_NAME: sysmon64

Suggestion, fix up the Atomic Prereq test to recognize even sysmon64

github-actions[bot] commented 1 week ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

SirStephanikus commented 1 week ago

Issue is still present.