Detectionmediumtest
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Wietze BeukemaCreated Thu Jul 115ba243e5-8165-4cf7-8c69-e1d3669654c1windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection:
ImageLoaded|endswith: '\MpSvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*False Positives
Legitimate applications loading their own versions of the DLL mentioned in this rule.
References
MITRE ATT&CK
Rule Metadata
Rule ID
5ba243e5-8165-4cf7-8c69-e1d3669654c1
Status
test
Level
medium
Type
Detection
Created
Thu Jul 11
Path
rules/windows/image_load/image_load_side_load_mpsvc.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001