Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Sigma rule (View on GitHub)
1title: Microsoft Defender Blocked from Loading Unsigned DLL
2id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
3status: test
4description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
5references:
6 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
7author: Bhabesh Raj
8date: 2022/08/02
9modified: 2022/09/28
10tags:
11 - attack.defense_evasion
12 - attack.t1574.002
13logsource:
14 product: windows
15 service: security-mitigations
16detection:
17 selection:
18 EventID:
19 - 11
20 - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
21 ProcessPath|endswith:
22 - '\MpCmdRun.exe'
23 - '\NisSrv.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- DLL Sideloading by VMware Xfer Utility
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential DLL Sideloading Via ClassicExplorer32.dll