Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Sigma rule (View on GitHub)
1title: Potential Mpclient.DLL Sideloading
2id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
3related:
4 - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
5 type: similar
6status: test
7description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
8references:
9 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
10author: Bhabesh Raj
11date: 2022-08-02
12modified: 2023-08-04
13tags:
14 - attack.defense-evasion
15 - attack.t1574.002
16logsource:
17 product: windows
18 category: image_load
19detection:
20 selection:
21 ImageLoaded|endswith: '\mpclient.dll'
22 Image|endswith:
23 - '\MpCmdRun.exe'
24 - '\NisSrv.exe'
25 filter_main_known_locations:
26 Image|startswith:
27 - 'C:\Program Files (x86)\Windows Defender\'
28 - 'C:\Program Files\Microsoft Security Client\'
29 - 'C:\Program Files\Windows Defender\'
30 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
31 - 'C:\Windows\WinSxS\'
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Unlikely
35level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL