sigmahighHunting

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

MITRE ATT&CK

T1574.001

privilege-escalationpersistencedefense-evasion

Detection Query

selection:
  EventID:
    - 11
    - 12
  ProcessPath|endswith:
    - \MpCmdRun.exe
    - \NisSrv.exe
condition: selection

Author

Bhabesh Raj

Created

2022-08-02

Data Sources

windowssecurity-mitigations

Platforms

windows

References

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001

Raw Content

title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-evasion
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
        ProcessPath|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    condition: selection
falsepositives:
    - Unknown
level: high