Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of MpSvc.DLL
2id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
3status: experimental
4description: Detects potential DLL sideloading of "MpSvc.dll".
5references:
6 - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
8date: 2024-07-11
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12logsource:
13 product: windows
14 category: image_load
15detection:
16 selection:
17 ImageLoaded|endswith: '\MpSvc.dll'
18 filter_main_generic:
19 ImageLoaded|startswith:
20 - 'C:\Program Files\Windows Defender\'
21 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
22 - 'C:\Windows\WinSxS\'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - Legitimate applications loading their own versions of the DLL mentioned in this rule.
26level: medium
References
-
Check out the entry for mpsvc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL