Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Sigma rule (View on GitHub)
1title: Unsigned Mfdetours.DLL Sideloading
2id: 948a0953-f287-4806-bbcb-3b2e396df89f
3related:
4 - id: d2605a99-2218-4894-8fd3-2afb7946514d
5 type: similar
6status: test
7description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-08-11
12tags:
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.t1574.001
17logsource:
18 category: image_load
19 product: windows
20detection:
21 selection:
22 ImageLoaded|endswith: '\mfdetours.dll'
23 filter_main_legit_path:
24 ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
25 SignatureStatus: 'Valid'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unlikely
29level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL