ikiril01
commented
4 years ago @olafhartong thanks! I've merged this into the corresponding CAR analytic. I actually ended up using this for the Splunk search, as it made for a much faster query: Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe" AND CommandLine="*unload*"
Small changes to CAR-2020-08-005