---
Name: Mftrace.exe
Description: Trace log generation tool for Media Foundation Tools.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
  - Command: Mftrace.exe cmd.exe
    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
    Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
    Category: Execution
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
  - Command: Mftrace.exe powershell.exe
    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
    Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
    Category: Execution
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
Full Path:
  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
  - C:\Program Files (x86)\Windows Kits\10\bin\x86
  - C:\Program Files (x86)\Windows Kits\10\bin\x64
Code Sample: []
Detection: []
Resources:
  - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
Acknowledgement:
  - Person: fabrizio
    Handle: '@0rbz_'