==================================================

CREATED: WIN-FLTMC-UNLOAD-ACTIVITY-MONITOR (#1450)

Description

This detector identifies the Filter Manager Control Program (fltMC.exe) being used to unload a minifilter driver that has been defined as an "Activity Monitor" by Microsoft. File system minifilter drivers are commonly used by Data Loss Prevention (DLP), Antivirus (AV), and various Endpoint Monitoring utilities.  

ATT&CK Technique T1089

==================================================

CREATED: LINUX-XORG-PRIVESC (#1455)

Description

This detector identifies instances of the Xorg X Window Server with command line options indicating the use of a privilege escalation exploit. This technique may be used by adversaries to escalate their privileges from a standard user to root.  

ATT&CK Technique T1068
ATT&CK Technique T1166

==================================================

CREATED: WIN-FLTMC-UNLOAD-AV (#1456)

Description

This detector identifies the Filter Manager Control Program (fltMC.exe) being used to unload a minifilter driver that has been defined as an Anti-Virus product by Microsoft. File system minifilter drivers are commonly used by Data Loss Prevention (DLP), Antivirus (AV), and various Endpoint Monitoring utilities. 

ATT&CK Technique T1089

==================================================

CREATED: WIN-FLTMC-UNLOAD-SECURITY-ENHANCER (#1457)

Description

This detector identifies the Filter Manager Control Program (fltMC.exe) being used to unload a minifilter driver that has been defined as a "Security Enhancer" by Microsoft. File system minifilter drivers are commonly used by Data Loss Prevention (DLP), Antivirus (AV), and various Endpoint Monitoring utilities.

ATT&CK Technique T1089

Did this answer your question?