Problem: T1562.001 Atomic Test #11 - Unload Sysmon Filter Driver --> Prereq test failed #2951

SirStephanikus · 2024-10-06T18:06:21Z

What did you do?

Invoke-AtomicTest T1562.001 -TestNumbers 11 -CheckPrereqs
Does not find sysmon, despite being installed and active.

CLI: sc.exe query sysmon | findstr sysmon
Does not find sysmon, despite being installed and active

Prereq test should find sysmon

Windows Server 2022 Standard, as an AD-DC. Run with privileged user.

I found the issue:
---> The Atomic test expects to find "sysmon", but it runs here as "sysmon64" (installed via chocolatey).

Proof:

Get-Service -Name Sysmon64

Status   Name               DisplayName
------   ----               -----------
Running  Sysmon64           Sysmon64

sc.exe query sysmon64 | findstr sysmon64

SERVICE_NAME: sysmon64

Suggestion, fix up the Atomic Prereq test to recognize even sysmon64

The text was updated successfully, but these errors were encountered:

github-actions · 2024-11-06T01:58:00Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

SirStephanikus · 2024-11-06T08:45:21Z

Issue is still present.

github-actions · 2024-12-27T01:59:00Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

SirStephanikus · 2024-12-27T10:12:16Z

Push, to remove stale label

SirStephanikus mentioned this issue Oct 6, 2024

Problem: T1562.001 Atomic Test #12 - Uninstall Sysmon --> Failed #2952

Open

github-actions bot added the Stale label Nov 6, 2024

github-actions bot removed the Stale label Nov 7, 2024

cyberbuff self-assigned this Nov 26, 2024

github-actions bot added the Stale label Dec 27, 2024

github-actions bot removed the Stale label Dec 28, 2024