Detects potential sideloading of “mpclient.dll” by Windows Defender processes (“MpCmdRun” and “NisSrv”) from their non-default directory.
title: Potential Mpclient.DLL Sideloading Via Defender Binaries
id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
related:
- id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-01
modified: 2023-08-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "\\MpCmdRun.exe" or TargetProcessName endswith "\\NisSrv.exe") and (not((TargetProcessName startswith "C:\\Program Files (x86)\\Windows Defender\\" or TargetProcessName startswith "C:\\Program Files\\Microsoft Security Client\\" or TargetProcessName startswith "C:\\Program Files\\Windows Defender\\" or TargetProcessName startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or TargetProcessName startswith "C:\\Windows\\WinSxS\\")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |