This detection rule aims to identify potential evasion techniques used by adversaries leveraging the Filter Manager Control Program (fltMC.exe) to unload filter drivers on Windows systems. The rule focuses on the command line usage of fltMC.exe and checks for suspicious unload commands that attempt to bypass security protections like malware detection and file system monitoring. The rule utilizes EQL (Event Query Language) to filter process start events that show the fltMC.exe process invoking the unload command. It includes conditions to exclude legitimate operations, such as those performed by specific processes like DCFAService64.exe and installations involving msiexec related to known filters. Investigative guidance accompanies the rule to aid analysts in examining the user account behind the action, analyzing the command-line arguments, and identifying the nature of the filter drivers involved, including their potential security roles. This supports thorough triage steps to confirm if the activity is malicious and initiate appropriate response actions. The rule leverages data from various logs, including Windows security and endpoint events, to support detection capabilities.