Detectionmediumtest

Potential Mftrace.EXE Abuse

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Thu Jun 09Updated Thu Aug 033d48c9d3-1aa6-418d-98d3-8fd3c01a564ewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\mftrace.exe'
    condition: selection

False Positives

Legitimate use for tracing purposes

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

3d48c9d3-1aa6-418d-98d3-8fd3c01a564e

Status

test

Level

medium

Type

Detection

Created

Thu Jun 09

Modified

Thu Aug 03

Author

Path

rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml

Raw Tags

attack.defense-evasionattack.t1127