Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Sigma rule (View on GitHub)
1title: Unsigned Mfdetours.DLL Sideloading
2id: 948a0953-f287-4806-bbcb-3b2e396df89f
3related:
4 - id: d2605a99-2218-4894-8fd3-2afb7946514d
5 type: similar
6status: test
7description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-08-11
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1574.001
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith: '\mfdetours.dll'
22 filter_main_legit_path:
23 ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
24 SignatureStatus: 'Valid'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder