Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
Sigma rule (View on GitHub)
1title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
2id: 02b18447-ea83-4b1b-8805-714a8a34546a
3status: test
4description: |
5 Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
6 The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
9author: frack113
10date: 2022-03-06
11modified: 2023-08-03
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - Image|endswith: '\OfflineScannerShell.exe'
21 - OriginalFileName: 'OfflineScannerShell.exe'
22 filter_main_legit_dir:
23 CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
24 filter_main_empty:
25 CurrentDirectory: ''
26 filter_main_null:
27 CurrentDirectory: null
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: medium
References
-
OfflineScannerShell.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE