Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Sigma rule (View on GitHub)
1title: Potential Mfdetours.DLL Sideloading
2id: d2605a99-2218-4894-8fd3-2afb7946514d
3status: test
4description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-03
9tags:
10 - attack.persistence
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\mfdetours.dll'
20 filter_main_legit_path:
21 ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
22 condition: selection and not 1 of filter_main_*
23falsepositives:
24 - Unlikely
25level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL