Skip to content
Threat Feed
medium advisory

Potential Evasion via Filter Manager

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, evading defenses like EDR and antivirus.

The Filter Manager Control Program (fltMC.exe) is a legitimate Windows utility used to manage and query filter drivers loaded on a system. These filter drivers, often called minifilters, are used by many security products, including EDR and antivirus solutions, to intercept and modify I/O requests. Adversaries can abuse fltMC.exe to unload these minifilters, effectively disabling security controls and evading detection. This technique is particularly effective because fltMC.exe is a signed Microsoft binary, making it less likely to be flagged by standard application control policies. The targeting is broad, affecting any Windows system with vulnerable filter drivers and inadequate process monitoring. This is a common post-exploitation tactic.

Attack Chain

  1. The attacker gains initial access to the target system via other means.
  2. The attacker identifies security software utilizing minifilters.
  3. The attacker uses fltMC.exe with the unload argument to attempt to disable a targeted minifilter.
  4. The command fltMC.exe unload <filter_name> is executed, where <filter_name> specifies the driver to unload.
  5. Windows validates the request. If the attacker has sufficient privileges and the filter allows unloading, the driver is unloaded.
  6. The unloaded filter driver is no longer active, and its protections are bypassed.
  7. The attacker proceeds with malicious activities (e.g., malware execution, data exfiltration) without the filter's interference.
  8. The attacker attempts to remove traces of the activity by deleting logs or other artifacts.

Impact

Successful exploitation allows attackers to bypass security controls implemented by filter drivers, such as real-time malware detection, file system monitoring, and behavior-based detection. This can lead to successful malware execution, data exfiltration, or other malicious activities that would otherwise be prevented. The impact is significant, especially in environments heavily reliant on filter drivers for security.

Recommendation

  • Monitor process creation events for fltMC.exe executions with the unload argument using the provided Sigma rule to identify potential evasion attempts.
  • Implement strict access controls on fltMC.exe to limit its usage to authorized personnel only.
  • Investigate any identified instances of fltMC.exe being used to unload filter drivers, focusing on the parent process and the targeted driver.
  • Review and harden endpoint detection and response (EDR) configurations to ensure that the EDR solution can detect malicious activity even if filter drivers are unloaded.
  • Consider implementing application control policies to restrict the execution of fltMC.exe by unauthorized users or processes.
  • Monitor the Windows Security Event Logs and Sysmon logs for process creation events related to fltMC.exe.
  • Use the provided Sigma rule to detect suspicious usage of fltMC.exe and tune it for your environment.

Detection coverage 2

Detect Filter Manager Unload Activity

medium

Detects the use of fltMC.exe to unload filter drivers, which can be used to evade defenses.

sigma tactics: defense_evasion techniques: T1562, T1562.001 sources: process_creation, windows

Detect Filter Manager Unload Activity from Non-System Paths

high

Detects fltMC.exe execution from non-system paths to evade defenses.

sigma tactics: defense_evasion techniques: T1562, T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →