Potential Mpclient.DLL Sideloading

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.t1574.001  ·
Share on: linkedin copy

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Sigma rule (View on GitHub)

 1title: Potential Mpclient.DLL Sideloading
 2id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
 3related:
 4    - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
 5      type: similar
 6status: test
 7description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
 8references:
 9    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
10author: Bhabesh Raj
11date: 2022-08-02
12modified: 2023-08-04
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.defense-evasion
17    - attack.t1574.001
18logsource:
19    product: windows
20    category: image_load
21detection:
22    selection:
23        ImageLoaded|endswith: '\mpclient.dll'
24        Image|endswith:
25            - '\MpCmdRun.exe'
26            - '\NisSrv.exe'
27    filter_main_known_locations:
28        Image|startswith:
29            - 'C:\Program Files (x86)\Windows Defender\'
30            - 'C:\Program Files\Microsoft Security Client\'
31            - 'C:\Program Files\Windows Defender\'
32            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
33            - 'C:\Windows\WinSxS\'
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Unlikely
37level: high

References

Related rules

to-top