Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Impair Defenses||Indicator Blocking||Defense Evasion||Low|
|D3-PSA||Process Spawn Analysis|
Data Model References
Pseudocode - fltmc invocation (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create fltmc_processes = filter processes where ( exe = "fltmc.exe" AND command_line = "*unload*") output fltmc_processes
Splunk search - fltmc invocation (Splunk, Sysmon native)
This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe")
LogPoint search - fltmc invocation (Logpoint, LogPoint native)
This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe")