Unsigned Mfdetours.DLL Sideloading

Aug 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002 ·

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Sigma rule (View on GitHub)

 1title: Unsigned Mfdetours.DLL Sideloading
 2id: 948a0953-f287-4806-bbcb-3b2e396df89f
 3related:
 4    - id: d2605a99-2218-4894-8fd3-2afb7946514d
 5      type: similar
 6status: experimental
 7description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
 8references:
 9    - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/08/11
12tags:
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.t1574.001
16    - attack.t1574.002
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        ImageLoaded|endswith: '\mfdetours.dll'
23    filter_main_legit_path:
24        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
25        SignatureStatus: 'Valid'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unlikely
29level: high

References

Internal Research

Read More

Unsigned Mfdetours.DLL Sideloading

Sigma rule (View on GitHub)

References

Internal Research

Related rules