Adversaries may be attempting to sideload a malicious version of MpSvc.DLL to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential privilege escalation and persistence mechanisms.
Detection Rule
title: Potential DLL Sideloading Of MpSvc.DLL
id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
status: test
description: Detects potential DLL sideloading of "MpSvc.dll".
references:
- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\MpSvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\MpSvc.dll" and (not((FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may temporarily place a new version of MpSvc.dll in a directory that is being monitored.
Filter/Exclusion: Exclude files with a timestamp matching the system update window (e.g., file_name = "MpSvc.dll" AND file_time >= "2024-03-01T00:00:00" AND file_time <= "2024-03-07T23:59:59")
Scenario: Scheduled Job Running Antivirus Scan
Description: A scheduled job or service (e.g., Windows Defender or third-party antivirus) may temporarily copy MpSvc.dll to a temporary directory during a scan.
Filter/Exclusion: Exclude processes associated with antivirus services (e.g., process_name = "MsMpEng.exe" or process_name = "Mpcmdrun.exe")
Scenario: Microsoft Defender Service Initialization
Description: The Microsoft Defender service (MsDefender.exe) may load MpSvc.dll during startup or service initialization.
Filter/Exclusion: Exclude processes with process_name = "MsDefender.exe" or process_name = "MsMpEng.exe"
Scenario: Admin Task to Replace DLL for Compatibility
Description: An administrator may replace an outdated version of MpSvc.dll with a newer version for compatibility or bug fixes.
Filter/Exclusion: Exclude files where the file hash matches a known legitimate version (e.g., file_hash = "a1b2c3d4e5f67890abcdef1234567890")
Scenario: Third-Party Tool Integration with Windows Defender
Description: A