Potential DLL Side-Loading via Microsoft Antimalware Service Executable

  1[metadata]
  2creation_date = "2021/07/07"
  3integration = ["endpoint", "windows", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic", "Dennis Perto"]
  9description = """
 10Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being
 11renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via
 12side-loading a malicious DLL within the memory space of one of those processes.
 13"""
 14false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21    "logs-m365_defender.event-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable
 32
 33The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats.
 34
 35### Possible investigation steps
 36
 37- Review the process details to confirm if the process name is MsMpEng.exe but is executing from a non-standard path. Check the process.executable field to identify the exact path and verify if it deviates from the expected directories.
 38- Investigate the parent process of the suspicious MsMpEng.exe instance to determine how it was initiated. This can provide insights into whether the process was started by a legitimate application or a potentially malicious one.
 39- Examine the system for any recent file modifications or creations in the directory where the suspicious MsMpEng.exe is located. This can help identify if a malicious DLL was recently placed in the same directory.
 40- Check for any network connections or communications initiated by the suspicious MsMpEng.exe process. This can help determine if the process is attempting to communicate with external servers, which may indicate malicious activity.
 41- Look for any other processes or activities on the host that may indicate compromise, such as unusual user account activity or other processes running from unexpected locations. This can help assess the broader impact of the potential threat.
 42
 43### False positive analysis
 44
 45- Legitimate software updates or installations may temporarily rename or relocate the Microsoft Antimalware Service Executable. Users should verify if any software updates or installations occurred around the time of the alert and consider excluding these paths if they are known and trusted.
 46- Custom security or IT management tools might execute the executable from non-standard paths for monitoring or testing purposes. Confirm with IT or security teams if such tools are in use and add these paths to the exclusion list if they are verified as safe.
 47- Virtualization or sandbox environments may replicate the executable in different locations for testing or analysis. Check if the environment is part of a controlled setup and exclude these paths if they are part of legitimate operations.
 48- Backup or recovery processes might involve copying the executable to alternate locations. Ensure these processes are legitimate and consider excluding these paths if they are part of routine operations.
 49
 50### Response and remediation
 51
 52- Immediately isolate the affected system from the network to prevent further spread of the potential threat.
 53- Terminate any suspicious processes identified by the detection rule, specifically those involving MsMpEng.exe running from non-standard paths.
 54- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any malicious DLLs or other malware.
 55- Review and restore any altered or deleted system files from a known good backup to ensure system integrity.
 56- Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis.
 57- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures.
 58- Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence."""
 59references = [
 60    "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/",
 61]
 62risk_score = 73
 63rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08"
 64setup = """## Setup
 65
 66If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 67events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 68Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 69`event.ingested` to @timestamp.
 70For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 71"""
 72severity = "high"
 73tags = [
 74    "Domain: Endpoint",
 75    "OS: Windows",
 76    "Use Case: Threat Detection",
 77    "Tactic: Defense Evasion",
 78    "Data Source: Elastic Endgame",
 79    "Tactic: Execution",
 80    "Data Source: Elastic Defend",
 81    "Data Source: Sysmon",
 82    "Data Source: Microsoft Defender for Endpoint",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "eql"
 87
 88query = '''
 89process where host.os.type == "windows" and event.type == "start" and
 90(
 91  (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
 92  (process.name : "MsMpEng.exe" and not
 93        process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
 94                              "?:\\Program Files\\Windows Defender\\*.exe",
 95                              "?:\\Program Files (x86)\\Windows Defender\\*.exe",
 96                              "?:\\Program Files\\Microsoft Security Client\\*.exe",
 97                              "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe"))
 98)
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1574"
106name = "Hijack Execution Flow"
107reference = "https://attack.mitre.org/techniques/T1574/"
108[[rule.threat.technique.subtechnique]]
109id = "T1574.002"
110name = "DLL Side-Loading"
111reference = "https://attack.mitre.org/techniques/T1574/002/"
112
113
114
115[rule.threat.tactic]
116id = "TA0005"
117name = "Defense Evasion"
118reference = "https://attack.mitre.org/tactics/TA0005/"