Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Sigma rule (View on GitHub)
1title: Microsoft Defender Blocked from Loading Unsigned DLL
2id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
3status: test
4description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
5references:
6 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
7author: Bhabesh Raj
8date: 2022-08-02
9modified: 2022-09-28
10tags:
11 - attack.defense-evasion
12 - attack.t1574.002
13logsource:
14 product: windows
15 service: security-mitigations
16detection:
17 selection:
18 EventID:
19 - 11
20 - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
21 ProcessPath|endswith:
22 - '\MpCmdRun.exe'
23 - '\NisSrv.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL