Potential Evasion via Filter Manager
Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, evading defenses like EDR and antivirus.
The Filter Manager Control Program (fltMC.exe) is a legitimate Windows utility used to manage and query filter drivers loaded on a system. These filter drivers, often called minifilters, are used by many security products, including EDR and antivirus solutions, to intercept and modify I/O requests. Adversaries can abuse fltMC.exe to unload these minifilters, effectively disabling security controls and evading detection. This technique is particularly effective because fltMC.exe is a signed Microsoft binary, making it less likely to be flagged by standard application control policies. The targeting is broad, affecting any Windows system with vulnerable filter drivers and inadequate process monitoring. This is a common post-exploitation tactic.
Attack Chain
- The attacker gains initial access to the target system via other means.
- The attacker identifies security software utilizing minifilters.
- The attacker uses
fltMC.exewith theunloadargument to attempt to disable a targeted minifilter. - The command
fltMC.exe unload <filter_name>is executed, where<filter_name>specifies the driver to unload. - Windows validates the request. If the attacker has sufficient privileges and the filter allows unloading, the driver is unloaded.
- The unloaded filter driver is no longer active, and its protections are bypassed.
- The attacker proceeds with malicious activities (e.g., malware execution, data exfiltration) without the filter's interference.
- The attacker attempts to remove traces of the activity by deleting logs or other artifacts.
Impact
Successful exploitation allows attackers to bypass security controls implemented by filter drivers, such as real-time malware detection, file system monitoring, and behavior-based detection. This can lead to successful malware execution, data exfiltration, or other malicious activities that would otherwise be prevented. The impact is significant, especially in environments heavily reliant on filter drivers for security.
Recommendation
- Monitor process creation events for
fltMC.exeexecutions with theunloadargument using the provided Sigma rule to identify potential evasion attempts. - Implement strict access controls on
fltMC.exeto limit its usage to authorized personnel only. - Investigate any identified instances of
fltMC.exebeing used to unload filter drivers, focusing on the parent process and the targeted driver. - Review and harden endpoint detection and response (EDR) configurations to ensure that the EDR solution can detect malicious activity even if filter drivers are unloaded.
- Consider implementing application control policies to restrict the execution of
fltMC.exeby unauthorized users or processes. - Monitor the Windows Security Event Logs and Sysmon logs for process creation events related to
fltMC.exe. - Use the provided Sigma rule to detect suspicious usage of
fltMC.exeand tune it for your environment.
Detection coverage 2
Detect Filter Manager Unload Activity
mediumDetects the use of fltMC.exe to unload filter drivers, which can be used to evade defenses.
Detect Filter Manager Unload Activity from Non-System Paths
highDetects fltMC.exe execution from non-system paths to evade defenses.
Detection queries are available on the platform. Get full rules →