Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
Sigma rule (View on GitHub)
1title: Filter Driver Unloaded Via Fltmc.EXE
2id: 4931188c-178e-4ee7-a348-39e8a7a56821
3related:
4 - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
5 type: derived
6status: test
7description: Detect filter driver unloading activity via fltmc.exe
8references:
9 - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10 - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-02-13
13modified: 2025-10-07
14tags:
15 - attack.stealth
16 - attack.defense-impairment
17 - attack.t1070
18 - attack.t1685
19 - attack.t1685.001
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection_img:
25 - Image|endswith: '\fltMC.exe'
26 - OriginalFileName: 'fltMC.exe'
27 selection_cli:
28 CommandLine|contains: 'unload'
29 filter_optional_avira:
30 ParentImage|contains:
31 - '\AppData\Local\Temp\'
32 - ':\Windows\Temp\'
33 ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
34 CommandLine|endswith:
35 - 'unload rtp_filesystem_filter'
36 - 'unload rtp_filter'
37 filter_optional_manageengine:
38 ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
39 CommandLine|endswith: 'unload DFMFilter'
40 condition: all of selection_* and not 1 of filter_optional_*
41falsepositives:
42 - Unknown
43level: medium
References
Related rules
- Sysmon Driver Unloaded Via Fltmc.EXE
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- Potential Suspicious Activity Using SeCEdit
- ASLR Disabled Via Sysctl or Direct Syscall - Linux