Filter Driver Unloaded Via Fltmc.EXE

calendar Jun 25, 2024 · attack.defense_evasion attack.t1070 attack.t1562 attack.t1562.002  ·
Share on: linkedin copy

Detect filter driver unloading activity via fltmc.exe

Sigma rule (View on GitHub)

 1title: Filter Driver Unloaded Via Fltmc.EXE
 2id: 4931188c-178e-4ee7-a348-39e8a7a56821
 3related:
 4    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
 5      type: derived
 6status: test
 7description: Detect filter driver unloading activity via fltmc.exe
 8references:
 9    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/02/13
13modified: 2024/06/24
14tags:
15    - attack.defense_evasion
16    - attack.t1070
17    - attack.t1562
18    - attack.t1562.002
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith: '\fltMC.exe'
25        - OriginalFileName: 'fltMC.exe'
26    selection_cli:
27        CommandLine|contains: 'unload'
28    filter_optional_avira:
29        ParentImage|startswith: 'C:\Users\'
30        ParentImage|contains: '\AppData\Local\Temp\'
31        ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
32        CommandLine|endswith: 'unload rtp_filesystem_filter'
33    filter_optional_manageengine:
34        ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
35        CommandLine|endswith: 'unload DFMFilter'
36    condition: all of selection_* and not 1 of filter_optional_*
37falsepositives:
38    - Unknown
39level: medium

References

  • Operating Offensively Against Sysmon

    Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is


    Read More

  • THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom

    LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...


    Read More

Related rules

to-top