{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fltmc.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Endpoint Security","UEMS_Agent","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","filter-driver","fltMC.exe","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ManageEngine","Bitdefender","SentinelOne"],"content_html":"\u003cp\u003eThe Filter Manager Control Program (fltMC.exe) is a Windows utility used to manage filter drivers, also known as minifilters. These minifilters are leveraged by various security products, including EDR, antivirus solutions, and data loss prevention tools, to intercept and modify I/O requests. Attackers can abuse fltMC.exe to unload these minifilters, effectively disabling or circumventing the security measures they provide. This allows malicious actors to operate without detection, potentially leading to data breaches, malware infections, or other harmful activities. This technique has been observed being used to disable security products such as Bitdefender, SentinelOne and ManageEngine Endpoint Central.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003efltMC.exe\u003c/code\u003e with administrative privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efltMC.exe\u003c/code\u003e attempts to unload a specific filter driver (minifilter).\u003c/li\u003e\n\u003cli\u003eThe operating system processes the request to unload the specified filter driver.\u003c/li\u003e\n\u003cli\u003eIf successful, the targeted minifilter is removed from the active filter stack.\u003c/li\u003e\n\u003cli\u003eSecurity software relying on the unloaded minifilter ceases to function correctly, leaving a security gap.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions, such as deploying malware or exfiltrating sensitive data, without the protection of the disabled filter driver.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to disable or circumvent security controls, increasing the likelihood of successful malware infections, data breaches, and other malicious activities. The scope of impact depends on the specific filter driver unloaded and the security products it supports. Disabling a critical EDR minifilter could leave the entire system vulnerable, while disabling a less critical filter might only impact a subset of security features.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efltMC.exe\u003c/code\u003e with the \u003ccode\u003eunload\u003c/code\u003e argument to identify potential evasion attempts (see Sigma rule \u0026ldquo;Potential Evasion via Filter Manager\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003efltMC.exe\u003c/code\u003e execution where the parent process is not a known and trusted system management tool.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability of users to execute \u003ccode\u003efltMC.exe\u003c/code\u003e or modify filter driver configurations.\u003c/li\u003e\n\u003cli\u003eReview the list of exclusions in the provided EQL query to identify any legitimate software that may be generating false positives.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint security solutions are properly configured and monitored to detect and prevent unauthorized filter driver modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-filter-manager-evasion/","summary":"Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.","title":"Potential Defense Evasion via Filter Manager (fltMC.exe)","url":"https://feed.craftedsignal.io/briefs/2024-01-filter-manager-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed — FltMC.exe","version":"https://jsonfeed.org/version/1.1"}