public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-28 22:32:02 +01:00
Code Issues Projects Releases Wiki Activity

Updating category of fltMC to tamper

Browse Source
This commit is contained in:
Wietze 2022-10-04 15:37:56 +01:00 committed by GitHub
parent 4217d0f8ca
commit 6f2135e173
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
yml/OSBinaries/FltMC.yml
View File

@ -1,20 +1,18 @@
---
Name: fltMC.exe
Description: Filter Manager Control Program used by Windows
Author: 'John Lambert'
Created: '2021-09-18'
Author: John Lambert
Created: 2021-09-18
Commands:
- Command: fltMC.exe unload SysmonDrv
Description: Unloads a driver used by security agents
Usecase: Defense evasion
Category: ADS
Category: Tamper
Privileges: Admin
MitreID: T1562.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\fltMC.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml