Detectionhightest
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Rule Metadata
Rule ID
7002aa10-b8d4-47ae-b5ba-51ab07e228b9
Status
test
Level
high
Type
Detection
Created
Mon Aug 01
Modified
Fri Aug 04
Author
Path
rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001