Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Sigma rule (View on GitHub)
1title: Microsoft Defender Blocked from Loading Unsigned DLL
2id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
3status: test
4description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
5references:
6 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
7author: Bhabesh Raj
8date: 2022-08-02
9modified: 2022-09-28
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1574.001
15logsource:
16 product: windows
17 service: security-mitigations
18detection:
19 selection:
20 EventID:
21 - 11
22 - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
23 ProcessPath|endswith:
24 - '\MpCmdRun.exe'
25 - '\NisSrv.exe'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL