Vendor
medium
advisory
Potential Evasion via Windows Filtering Platform Blocking Security Software
2 rules 2 TTPsAdversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.
Windows Filtering Platform +2
defense-evasion
windows-filtering-platform
endpoint-security
2r
2t
high
advisory
Suspicious Registry Hive Access via RegBack
2 rules 1 TTPThis rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.
Endpoint Defense +6
credential-access
regback
windows
2r
1t
medium
advisory
Potential Defense Evasion via Filter Manager (fltMC.exe)
2 rules 1 TTPAdversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.
Defender XDR +3
defense-evasion
filter-driver
fltMC.exe
windows
2r
1t