heroui logo

Msmpeng Application DLL Side Loading

Splunk Security Content

View Source
Summary
This detection rule identifies suspicious file creation attempts involving 'msmpeng.exe' or 'mpsvc.dll' within non-default directories associated with Windows Defender. Leveraging the Endpoint.Filesystem data model, the rule focuses on monitoring attempts to create these files outside their legitimate folders, as this behavior is typically linked to DLL side-loading tactics used by ransomware groups like REvil. Successful invocation of this rule may indicate potential malicious activity, such as the deployment of ransomware, which could result in severe consequences including data encryption, loss, and extortion.
Categories
  • Endpoint
  • Windows
  • Infrastructure
Data Sources
  • Process
  • Application Log
  • File
ATT&CK Techniques
  • T1574.002
  • T1574
Created: 2024-11-13