Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Sigma rule (View on GitHub)
1title: Potential Mfdetours.DLL Sideloading
2id: d2605a99-2218-4894-8fd3-2afb7946514d
3status: test
4description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-03
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1574.001
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith: '\mfdetours.dll'
19 filter_main_legit_path:
20 ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
21 condition: selection and not 1 of filter_main_*
22falsepositives:
23 - Unlikely
24level: medium
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder