Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of MpSvc.DLL
2id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
3status: test
4description: Detects potential DLL sideloading of "MpSvc.dll".
5references:
6 - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
8date: 2024-07-11
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1574.001
14logsource:
15 product: windows
16 category: image_load
17detection:
18 selection:
19 ImageLoaded|endswith: '\MpSvc.dll'
20 filter_main_generic:
21 ImageLoaded|startswith:
22 - 'C:\Program Files\Windows Defender\'
23 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
24 - 'C:\Windows\WinSxS\'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Legitimate applications loading their own versions of the DLL mentioned in this rule.
28level: medium
References
-
Check out the entry for mpsvc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL