security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/image_load/image_load_side_load_mfdetours.yml
T
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
2025-05-15 12:17:10 +02:00

25 lines
852 B
YAML
Raw Blame History

title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
Reference in New Issue View Git Blame Copy Permalink