Detectionmediumtest

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu Aug 03d2605a99-2218-4894-8fd3-2afb7946514dwindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
    condition: selection and not 1 of filter_main_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

d2605a99-2218-4894-8fd3-2afb7946514d

Status

test

Level

medium

Type

Detection

Created

Thu Aug 03

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/image_load/image_load_side_load_mfdetours.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001

View on GitHub