From aa3bd1b0633b5ba670d2e561f3d15f569dc8618d Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Wed, 3 Oct 2018 08:56:58 -0500
Subject: [PATCH] T1089 Added test to unload Sysmon filter driver (#366)

---
 atomics/T1089/T1089.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml
index 3fd1ac08..f384b89f 100644
--- a/atomics/T1089/T1089.yaml
+++ b/atomics/T1089/T1089.yaml
@@ -95,3 +95,18 @@ atomic_tests:
     name: sh
     command: |
       sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+
+- name: Unload Sysmon Filter Driver
+  description: |
+    Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. 
+  supported_platforms:
+    - windows
+  input_arguments:
+    sysmon_driver:
+      description: The name of the Sysmon filter driver (this can change from the default)
+      type: string
+      default: SysmonDrv
+  executor:
+    name: command_prompt
+    command: |
+      fltmc.exe unload #{sysmon_driver}