sigmahighHunting

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

MITRE ATT&CK

T1574.001

persistencedefense-evasionprivilege-escalation

Detection Query

selection:
  ImageLoaded|endswith: \mfdetours.dll
filter_main_legit_path:
  ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
  SignatureStatus: Valid
condition: selection and not 1 of filter_main_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-08-11

Data Sources

windowsImage Load Events

Platforms

windows

References

Internal Research

Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001

Raw Content

title: Unsigned Mfdetours.DLL Sideloading
id: 948a0953-f287-4806-bbcb-3b2e396df89f
related:
    - id: d2605a99-2218-4894-8fd3-2afb7946514d
      type: similar
status: test
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-11
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high