← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Quality
76
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml
title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
id: 02b18447-ea83-4b1b-8805-714a8a34546a
status: test
description: |
    Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
    The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
author: frack113
date: 2022-03-06
modified: 2023-08-03
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\OfflineScannerShell.exe'
        - OriginalFileName: 'OfflineScannerShell.exe'
    filter_main_legit_dir:
        CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
    filter_main_empty:
        CurrentDirectory: ''
    filter_main_null:
        CurrentDirectory: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium