fltMC.exe

  • File Path: C:\WINDOWS\system32\fltMC.exe
  • Description: Filter Manager Control Program

Hashes

Type Hash
MD5 382CDE89046C09F6F976F4CBD22B7025
SHA1 4D19B190DDCF957C27AEA74AF780398FD6FD4867
SHA256 9ABAF5823E20B0CA3CB22E6DC484BFF3DB59868930706B8A2BFB12F44B9C64A0
SHA384 E06DC060D8CC220594333A0C98643E82C7245CBE7E23D862F04595A9A001457984959A1A315853DB19BB3DE78294092D
SHA512 719CB1E789B8C8C39174B0C38DBE63E8F8A8FFE665C5B888FD315202BD5580D734B8248B0E2DA7ABF2F5A3642C4529C138F7825EDEA4FE6DD4690BEFCFCD57A6
SSDEEP 768:hDjFQc0cRIBHAgNaoo23hTN1OYh5F0lHC+q:hDjXbRIfo+3UKilHC+q
IMP 3BB9381340F6C7B1E51AD45AB82E32D2
PESHA1 6D176FABF83D54686AC975EF475E0ADCCEE37125
PE256 B56D3FD730E9AEE48A9745C509FC6B45BA9AAF2D10E95D3747041A7A66F17238

Runtime Data

Usage (stdout):


** Invalid command
Valid commands:
    load        Loads a Filter driver
    unload      Unloads a Filter driver
    filters     Lists the Filters currently registered in the system
    instances   Lists the Instances for a Filter or Volume currently
                registered in the system
    volumes     Lists all volumes/RDRs in the system
    attach      Creates a Filter Instance to a Volume
    detach      Removes a Filter Instance from a Volume

    Use fltmc help [ command ] for help on a specific command

Loaded Modules:

Path
C:\WINDOWS\system32\fltMC.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: fltMC.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/9abaf5823e20b0ca3cb22e6dc484bff3db59868930706b8a2bfb12f44b9c64a0/detection

Possible Misuse

The following table contains possible examples of fltMC.exe being misused. While fltMC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\fltMC.exe' DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - '\fltmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_driver_unload.yml Image\|endswith: '\fltmc.exe' DRL 1.0
LOLBAS FltMC.yml Name: fltMC.exe  
LOLBAS FltMC.yml - Command: fltMC.exe unload SysmonDrv  
LOLBAS FltMC.yml - Path: C:\Windows\System32\fltMC.exe  
LOLBAS FltMC.yml - IOC: 4688 events with fltMC.exe  
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\  
atomic-red-team T1518.001.md fltmc.exe | findstr.exe 385201 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md fltmc.exe unload #{sysmon_driver} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.