Adversaries may be sideloading the Mfdetours.DLL file to execute malicious code or evade detection by hooking into system processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistence or execution tactics used by advanced threats.
Detection Rule
title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\"))Scenario: System Update or Patch Deployment
Description: A legitimate system update or patch deployment may involve copying or replacing mfdetours.dll as part of a Windows Update or Microsoft Security Baseline.
Filter/Exclusion: Check the source path of the file change (e.g., C:\Windows\Temp\, C:\Windows\Update\, or C:\Windows\servicing\). Exclude files originating from Microsoft-signed update directories.
Scenario: Scheduled Job for Application Maintenance
Description: A scheduled job (e.g., via Task Scheduler) may run a script or tool that temporarily places mfdetours.dll in a system directory as part of application maintenance or configuration.
Filter/Exclusion: Exclude files modified by tasks with known legitimate names (e.g., Application Maintenance Job, Service Configuration Tool) or with execution paths containing C:\Program Files\ or C:\Windows\System32\.
Scenario: Microsoft Endpoint Configuration Manager (MECM) Deployment
Description: MECM (formerly SCCM) may deploy software packages that include mfdetours.dll as part of a software distribution or application installation.
Filter/Exclusion: Exclude files modified by processes associated with msiexec.exe or ccmexec.exe, or files with a source path matching MECM deployment directories (e.g., C:\Windows\Temp\SCCM\).
Scenario: Third-Party Security Tool Integration
Description: A third-party security tool (e.g., Microsoft Defender ATP, CrowdStrike, or SentinelOne) may inject or place mfdetours.dll in a system directory during integration or configuration.
Filter/Exclusion: Exclude files modified by processes with known security tool signatures (e.g., mpsvc.exe, `sfos