Potential Mfdetours.DLL Sideloading

Aug 3, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002 ·

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Sigma rule (View on GitHub)

 1title: Potential Mfdetours.DLL Sideloading
 2id: d2605a99-2218-4894-8fd3-2afb7946514d
 3status: experimental
 4description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/08/03
 9tags:
10    - attack.defense_evasion
11    - attack.privilege_escalation
12    - attack.t1574.001
13    - attack.t1574.002
14logsource:
15    category: image_load
16    product: windows
17detection:
18    selection:
19        ImageLoaded|endswith: '\mfdetours.dll'
20    filter_main_legit_path:
21        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
22    condition: selection and not 1 of filter_main_*
23falsepositives:
24    - Unlikely
25level: medium

References

Internal Research

Read More

Potential Mfdetours.DLL Sideloading

Sigma rule (View on GitHub)

References

Internal Research

Related rules