Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
Sigma rule (View on GitHub)
1title: Filter Driver Unloaded Via Fltmc.EXE
2id: 4931188c-178e-4ee7-a348-39e8a7a56821
3related:
4 - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
5 type: derived
6status: test
7description: Detect filter driver unloading activity via fltmc.exe
8references:
9 - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
10 - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
11author: Nasreddine Bencherchali
12date: 2023/02/13
13modified: 2023/03/14
14tags:
15 - attack.defense_evasion
16 - attack.t1070
17 - attack.t1562
18 - attack.t1562.002
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection_img:
24 - Image|endswith: '\fltMC.exe'
25 - OriginalFileName: 'fltMC.exe'
26 selection_cli:
27 CommandLine|contains: 'unload'
28 filter_avira:
29 # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp
30 CommandLine|endswith: 'unload rtp_filesystem_filter'
31 condition: all of selection_* and not 1 of filter_*
32falsepositives:
33 - Unknown
34level: high