← Back to Explore
sigmamediumHunting
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Detection Query
selection:
ImageLoaded|endswith: \mfdetours.dll
filter_main_legit_path:
ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-08-03
Data Sources
windowsImage Load Events
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001
Raw Content
title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium