Detectionhightest

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 11948a0953-f287-4806-bbcb-3b2e396df89fwindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Related Rules

SimilarDetectionmedium

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

948a0953-f287-4806-bbcb-3b2e396df89f

Status

test

Level

high

Type

Detection

Created

Fri Aug 11

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001

View on GitHub