Suspicious Microsoft Antimalware Service Executable Execution

This detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.

Attack Chain

1. An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
2. The attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user’s profile directory.
3. The attacker renames or copies the legitimate MsMpEng.exe to the malicious payload’s location.
4. The attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.
5. The malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.
6. The malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.
7. The attacker leverages the compromised system to move laterally within the network, compromising additional systems.
8. The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.
• Investigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.
• Monitor process execution events for instances where the process name is “MsMpEng.exe” but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.
• Review the references provided for additional context and guidance on investigating this type of activity.