Suspicious Microsoft Antimalware Service Execution
Detection of Microsoft Antimalware Service Executable (MsMpEng.exe) executing from non-standard paths or being renamed, indicative of defense evasion via DLL side-loading or process masquerading.
This rule identifies suspicious execution patterns related to the Microsoft Antimalware Service Executable (MsMpEng.exe). Adversaries may attempt to evade detection by renaming this legitimate utility or executing it from atypical locations, typically to facilitate DLL side-loading or masquerade as a trusted process. This behavior is particularly concerning because it allows malicious code to run under the guise of a legitimate and trusted system process. The detection logic focuses on identifying instances where MsMpEng.exe is executed from paths deviating from the standard installation directories or when the process is renamed. The rule leverages process monitoring data to flag these anomalies, providing early warning of potential attempts to bypass security measures. Defenders should investigate any alerts generated by this rule to determine if the activity is legitimate or indicative of malicious behavior.
Attack Chain
- Initial Access: An attacker gains initial access to the system via various means (e.g., phishing, exploitation of a vulnerability).
- Malware Dropper: The attacker deploys a malware dropper onto the system.
- Persistence: The dropper establishes persistence, ensuring the malicious code executes on subsequent reboots or user logons.
- Defense Evasion: The attacker renames or copies the legitimate MsMpEng.exe executable to a non-standard path.
- DLL Side-Loading: The attacker places a malicious DLL file in the same directory as the renamed/copied MsMpEng.exe.
- Execution: The attacker executes the renamed/copied MsMpEng.exe, which then loads the malicious DLL via side-loading.
- Privilege Escalation: The malicious DLL executes with the privileges of MsMpEng.exe, potentially bypassing security controls.
- Malicious Actions: The attacker performs malicious actions, such as data exfiltration, lateral movement, or deploying ransomware.
Impact
Successful exploitation can lead to complete system compromise, as the attacker is able to execute arbitrary code with high privileges. This can result in data theft, system damage, or the deployment of ransomware. The impact is amplified by the trust associated with the MsMpEng.exe process, allowing the attacker to bypass many security controls and operate undetected for extended periods.
Recommendation
- Deploy the Sigma rule "Suspicious MsMpEng.exe Execution from Non-Standard Path" to your SIEM to detect instances of MsMpEng.exe running from unexpected directories.
- Deploy the Sigma rule "MsMpEng.exe Renamed" to identify renamed instances of the Microsoft Antimalware Service Executable, correlating with other suspicious activity.
- Investigate any alerts generated by these rules promptly, focusing on the parent processes and associated file modifications.
- Implement strict process whitelisting to limit the execution of binaries to known and trusted locations to prevent execution from non-standard paths.
- Monitor file creations and modifications in directories containing MsMpEng.exe for unexpected DLL files, which could indicate DLL side-loading attempts.
- Enable process creation logging with command-line arguments to provide better context for investigations related to this technique.
Detection coverage 2
Suspicious MsMpEng.exe Execution from Non-Standard Path
highDetects MsMpEng.exe executing from a non-standard path, potentially indicating defense evasion.
MsMpEng.exe Renamed
highDetects when MsMpEng.exe has been renamed, a technique used for defense evasion.
Detection queries are available on the platform. Get full rules →