fltMC.exe

  • File Path: C:\WINDOWS\SysWOW64\fltMC.exe
  • Description: Filter Manager Control Program

Hashes

Type Hash
MD5 CD0FC659CB8362EE3C35E0CB33332655
SHA1 87E6A70EE30BD4E469C7470371DBF15002D5DB5A
SHA256 340322093C8E2AD6F8BB41723FA9B04B5844E133624395DD0C17013D3B58DFD8
SHA384 EBBAE74E0330D3178DE12BF3B4DD34A8BC6F6B5D18361F00C059B9F4D566B59B851CE46BB8DF7496A7DE1960303799BF
SHA512 B9A6779AD3B28199684656B74C1C5FAE6FA61D88284204367E99AE29ADD4CB067B1987EC6826BE3624C6E300B6980229888283C2D86606635F4DCB3A2F86D202
SSDEEP 384:zDKMNk2KrsARuG31N798qv9xC3ruSzhcNFlkJ0/cXfvR2FWp9Wmp:zYuG31N798qlI75VcNFlkikvR2Q

Runtime Data

Usage (stdout):


** Invalid command
Valid commands:
    load        Loads a Filter driver
    unload      Unloads a Filter driver
    filters     Lists the Filters currently registered in the system
    instances   Lists the Instances for a Filter or Volume currently
                registered in the system
    volumes     Lists all volumes/RDRs in the system
    attach      Creates a Filter Instance to a Volume
    detach      Removes a Filter Instance from a Volume

    Use fltmc help [ command ] for help on a specific command

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: fltMC.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of fltMC.exe being misused. While fltMC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\fltMC.exe' DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - '\fltmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_driver_unload.yml Image\|endswith: '\fltmc.exe' DRL 1.0
LOLBAS FltMC.yml Name: fltMC.exe  
LOLBAS FltMC.yml - Command: fltMC.exe unload SysmonDrv  
LOLBAS FltMC.yml - Path: C:\Windows\System32\fltMC.exe  
LOLBAS FltMC.yml - IOC: 4688 events with fltMC.exe  
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\  
atomic-red-team T1518.001.md fltmc.exe | findstr.exe 385201 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md fltmc.exe unload #{sysmon_driver} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.