Filter Driver Unloaded Via Fltmc.EXE

calendarMar 14, 2023 · attack.defense_evasion attack.t1070 attack.t1562 attack.t1562.002  ·
Share on: linkedincopy

Detect filter driver unloading activity via fltmc.exe

Sigma rule (View on GitHub)

 1title: Filter Driver Unloaded Via Fltmc.EXE
 2id: 4931188c-178e-4ee7-a348-39e8a7a56821
 3related:
 4    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
 5      type: derived
 6status: test
 7description: Detect filter driver unloading activity via fltmc.exe
 8references:
 9    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
11author: Nasreddine Bencherchali
12date: 2023/02/13
13modified: 2023/03/14
14tags:
15    - attack.defense_evasion
16    - attack.t1070
17    - attack.t1562
18    - attack.t1562.002
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith: '\fltMC.exe'
25        - OriginalFileName: 'fltMC.exe'
26    selection_cli:
27        CommandLine|contains: 'unload'
28    filter_avira:
29        # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp
30        CommandLine|endswith: 'unload rtp_filesystem_filter'
31    condition: all of selection_* and not 1 of filter_*
32falsepositives:
33    - Unknown
34level: high

Related rules

to-top