Potential Mftrace.EXE Abuse

Apr 28, 2026 · attack.execution attack.stealth attack.t1127 ·

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Sigma rule (View on GitHub)

 1title: Potential Mftrace.EXE Abuse
 2id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
 3status: test
 4description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-06-09
 9modified: 2023-08-03
10tags:
11    - attack.execution
12    - attack.stealth
13    - attack.t1127
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\mftrace.exe'
20    condition: selection
21falsepositives:
22    - Legitimate use for tracing purposes
23level: medium

References

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/

Read More

Potential Mftrace.EXE Abuse

Sigma rule (View on GitHub)

References

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/

Related rules