Msmpeng Application DLL Side Loading

Msmpeng Application DLL Side Loading

Description

This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen couple days ago with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine

   Help

Msmpeng Application DLL Side Loading Help

To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the Endpoint datamodel in the Filesystem node.

   Search

Open in Search