Microsoft Defender Blocked from Loading Unsigned DLL

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.execution attack.stealth attack.t1574.001 ·

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Sigma rule (View on GitHub)

 1title: Microsoft Defender Blocked from Loading Unsigned DLL
 2id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
 3status: test
 4description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
 5references:
 6    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 7author: Bhabesh Raj
 8date: 2022-08-02
 9modified: 2022-09-28
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.stealth
15    - attack.t1574.001
16logsource:
17    product: windows
18    service: security-mitigations
19detection:
20    selection:
21        EventID:
22            - 11
23            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
24        ProcessPath|endswith:
25            - '\MpCmdRun.exe'
26            - '\NisSrv.exe'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

Read More

Microsoft Defender Blocked from Loading Unsigned DLL

Sigma rule (View on GitHub)

References

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

Related rules