Techniques
Sample rules
Suspicious Microsoft Antimalware Service Execution
- source: elastic
- technicques:
- T1574
Description
Identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. This may indicate an attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
(
(process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
(
process.name : "MsMpEng.exe" and
not process.executable : (
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Program Files\\Windows Defender\\*.exe",
"?:\\Program Files (x86)\\Windows Defender\\*.exe",
"?:\\Program Files\\Microsoft Security Client\\*.exe",
"?:\\Program Files (x86)\\Microsoft Security Client\\*.exe",
/* Crowdstrike specific exclusion as it uses NT Object paths */
"\\Device\\HarddiskVolume*\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\Windows Defender\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files\\Microsoft Security Client\\*.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Security Client\\*.exe"
)
)
)