Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
Sigma rule (View on GitHub)
1title: Filter Driver Unloaded Via Fltmc.EXE
2id: 4931188c-178e-4ee7-a348-39e8a7a56821
3related:
4 - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
5 type: derived
6status: test
7description: Detect filter driver unloading activity via fltmc.exe
8references:
9 - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10 - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
11author: Nasreddine Bencherchali
12date: 2023/02/13
13modified: 2023/03/14
14tags:
15 - attack.defense_evasion
16 - attack.t1070
17 - attack.t1562
18 - attack.t1562.002
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection_img:
24 - Image|endswith: '\fltMC.exe'
25 - OriginalFileName: 'fltMC.exe'
26 selection_cli:
27 CommandLine|contains: 'unload'
28 filter_avira:
29 # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp
30 CommandLine|endswith: 'unload rtp_filesystem_filter'
31 condition: all of selection_* and not 1 of filter_*
32falsepositives:
33 - Unknown
34level: high
References
-
Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is
Read More -
LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...
Read More
Related rules
- Sysmon Driver Unloaded Via Fltmc.EXE
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- ETW Logging Tamper In .NET Processes
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE