Techniques
Sample rules
Potential Mftrace.EXE Abuse
- source: sigma
- technicques:
- t1127
Description
Detects child processes of the “Trace log generation tool for Media Foundation Tools” (Mftrace.exe) which can abused to execute arbitrary binaries.
Detection logic
condition: selection
selection:
ParentImage|endswith: \mftrace.exe