Techniques
Sample rules
Potential DLL Side-Loading via Microsoft Antimalware Service Executable
- source: elastic
- technicques:
- T1574
Description
Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
(
(process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
(
process.name : "MsMpEng.exe" and
not process.executable : (
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Program Files\\Windows Defender\\*.exe",
"?:\\Program Files (x86)\\Windows Defender\\*.exe",
"?:\\Program Files\\Microsoft Security Client\\*.exe",
"?:\\Program Files (x86)\\Microsoft Security Client\\*.exe",
/* Crowdstrike specific exclusion as it uses NT Object paths */
"\\Device\\HarddiskVolume*\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files\\Microsoft Security Client\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Security Client\\*.exe"
)
)
)