Filter Driver Unloaded Via Fltmc.EXE

Original Source: [Sigma source]

Title: Filter Driver Unloaded Via Fltmc.EXE
Status: test
Description:Detect filter driver unloading activity via fltmc.exe
References:
-https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
-https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
Author: Nasreddine Bencherchali (Nextron Systems)
Date: 2023-02-13
modified:2024-06-24
Tags:

-'attack.defense-evasion'
-'attack.t1070'
-'attack.t1562'
-'attack.t1562.002'

Logsource:

product: windows
category: process_creation

Detection:
selection_img:
Image|endswith:'\fltMC.exe' OriginalFileName:'fltMC.exe' selection_cli:
CommandLine|contains: 'unload'
filter_optional_avira:
ParentImage|startswith: 'C:\Users\'
ParentImage|contains: '\AppData\Local\Temp\'
ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
CommandLine|endswith: 'unload rtp_filesystem_filter'
filter_optional_manageengine:
ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
CommandLine|endswith: 'unload DFMFilter'
condition:all of selection_* and not 1 of filter_optional_*
Falsepositives:
-Unknown
Level: medium

Sign Up to Personalize and Manage Your Detection

Filter Driver Unloaded Via Fltmc.EXE