Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
Sigma rule (View on GitHub)
1title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
2id: 02b18447-ea83-4b1b-8805-714a8a34546a
3status: test
4description: |
5 Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
6 The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
9author: frack113
10date: 2022/03/06
11modified: 2023/08/03
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - Image|endswith: '\OfflineScannerShell.exe'
21 - OriginalFileName: 'OfflineScannerShell.exe'
22 filter_main_legit_dir:
23 CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
24 filter_main_empty:
25 CurrentDirectory: ''
26 filter_main_null:
27 CurrentDirectory: null
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- Arbitrary Command Execution Using WSL
- Potential RemoteFXvGPUDisablement.EXE Abuse
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- Arbitrary MSI Download Via Devinit.EXE