Suspicious Microsoft Antimalware Service Execution

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious Microsoft Antimalware Service Execution

Identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. This may indicate an attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.process-*
logs-windows.sysmon_operational-*
endgame-*
logs-m365_defender.event-*
logs-crowdstrike.fdr*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender XDR
Data Source: Crowdstrike
Resources: Investigation Guide

Version: 219

Rule authors:

Elastic
Dennis Perto

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Suspicious Microsoft Antimalware Service Execution

Possible investigation steps

Which Defender identity anomaly did the alert capture?
Focus: process.name, process.pe.original_file_name, process.executable, process.code_signature.subject_name, and process.code_signature.trusted.
Implication: escalate when process.pe.original_file_name is "MsMpEng.exe" under renamed process.name, or process.name is "MsMpEng.exe" outside Defender/Microsoft Security Client paths, even with trusted Microsoft signing; lower suspicion only when exact path, signer, and name pattern fit controlled packaging, recovery, or malware-analysis copy.
Does the path, file timing, and parent context look like staged Defender abuse?
Why: unusual-path Defender binaries can load same-folder DLLs through search-order behavior, so path and parent context separate masquerading or side-loading from controlled copies.
Focus: process.executable, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time, process.parent.executable, and process.parent.command_line.
Implication: escalate when the binary is fresh, recently renamed, or launched from user-writable, temp, share, archive, agent working, or Windows staging paths by a script, archive tool, RMM agent, or dropper parent; path age and parent context support benign closure only if later side-loading and launcher checks do not contradict them.
Does the user, token, and session context fit Defender service execution?
Focus: user.id, user.name, process.Ext.session_info.logon_type, and process.Ext.token.integrity_level_name.
Implication: escalate when the process runs under an interactive/domain user, a non-service logon, or a user-level token that does not fit antimalware service startup; SYSTEM or service context lowers only the session concern and does not clear the unusual path by itself.
If file or library telemetry is available, is there same-directory staging or DLL side-loading evidence?
Focus: recover file and library events with host.id plus process.entity_id when present, or host.id plus process.pid and a tight alert window; inspect file.path, dll.path, dll.name, dll.code_signature.trusted, and dll.Ext.relative_file_creation_time. !{investigate{"description":"","label":"File and library events for the suspicious process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"library","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: missing file or library telemetry is unresolved, not benign; prioritize same-folder DLLs whose path, signer, or creation time does not fit the product layout, plus artifacts created before process.executable started.
Implication: escalate when the unusual Defender copy loads a recent, unsigned/untrusted same-folder DLL or the directory contains newly staged executables, DLLs, scripts, archives, or renamed files; complete recovery with only expected Microsoft components lowers side-loading concern.
Does the process act as a launcher rather than a passive service component?
Focus: child process events where process.parent.entity_id matches suspicious process.entity_id, repeated starts from process.executable on host.id, and child process.name, process.executable, and process.command_line.
!{investigate{"description":"","label":"Child process events for the suspicious process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
!{investigate{"description":"","label":"Process events for the suspicious executable path","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.executable","queryType":"phrase","value":"{{process.executable}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: escalate when it starts shells, PowerShell, certutil, netsh, installers, encryption tooling, or other hands-on-keyboard utilities, or when repeated launches suggest staged execution; no child or repeat behavior lowers launcher concern but does not clear the path anomaly.
If local findings stay suspicious or unresolved, do related alerts show path reuse or host compromise?
Focus: related alerts for process.executable, especially unusual-path Defender, masquerading, or side-loading detections.
!{investigate{"description":"","label":"Alerts associated with the suspicious executable path","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"process.executable","queryType":"phrase","value":"{{process.executable}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Hint: also review related alerts for host.id or user.id, especially staging, persistence, credential-access, ransomware, or other masquerading detections.
!{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
!{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: broaden scope when the same path appears on unrelated hosts or the host has precursor or follow-on alerts; keep the case local only when related alerts show no reuse or follow-on activity and all local evidence is clean.
Escalate when Defender identity/path evidence plus one meaningful corroborator supports masquerading or DLL side-loading; close only when exact path, signer, parent, session, host/user scope, and optional outside confirmation tie to one controlled workflow with no contradictory telemetry; preserve artifacts and escalate when findings stay mixed or visibility is incomplete.

False positive analysis

A non-default Defender installation, controlled security packaging, recovery, or malware-analysis validation can stage Microsoft antimalware binaries outside default paths. Confirm the same workflow by matching exact process.executable, process.hash.sha256 or process.code_signature.thumbprint_sha256, Microsoft process.code_signature.subject_name, process.code_signature.trusted, process.parent.executable, process.parent.command_line, user.id, host.id, and session pattern; without outside records, require recurrence across prior rule alerts without side-loading, launcher, or related-alert contradictions.
Treat production execution from temp, user-writable, share, archive, agent working, or Windows staging paths as an operational anti-pattern unless a controlled workflow proves why the copy exists. Do not close as benign when same-folder DLLs, child tooling, recent rename timing, or unrelated related alerts contradict it.
Build exceptions only from the minimum confirmed workflow pattern; avoid exceptions on process.name, process.pe.original_file_name, signer subject alone, or host alone.

Response and remediation

If confirmed benign, reverse any temporary containment and document the exact workflow: executable path, Microsoft signer or hash, parent process, session context, user/host scope, and any controlled packaging, recovery, or lab record that corroborated the telemetry. Create an exception only after the same narrow workflow pattern is stable across prior alerts.
If suspicious but unconfirmed, preserve the alert details, process tree, command line, binary copy and hash, parent context, directory listing, same-folder DLLs, and related-alert timeline before containment. Apply reversible containment first, such as execution prevention on the suspicious path or temporary host isolation when active launcher behavior or side-loading creates continuing risk and the host role can tolerate interruption.
If confirmed malicious, preserve process and artifact evidence first, including the suspicious Defender copy, same-folder DLLs, support files, launcher context, and related-alert timeline. Then isolate the host or apply an equivalent endpoint containment control, terminate only the suspicious non-default-path or renamed Defender instance, quarantine the suspicious executable and supporting files, remove launcher or persistence artifacts found during scoping, and restore the legitimate security product from known-good media if the masquerading copy replaced or shadowed a trusted component.
After containment, restrict execution from user-writable, temporary, share, archive, and agent working directories where feasible, retain process/file/library telemetry that affected this case, and document the confirmed benign workflow or malicious artifact set for future triage.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
(
  (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
  (
    process.name : "MsMpEng.exe" and
    not process.executable : (
            "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
            "?:\\Program Files\\Windows Defender\\*.exe",
            "?:\\Program Files (x86)\\Windows Defender\\*.exe",
            "?:\\Program Files\\Microsoft Security Client\\*.exe",
            "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe",

            /* Crowdstrike specific exclusion as it uses NT Object paths */
            "\\Device\\HarddiskVolume*\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
            "\\Device\\HarddiskVolume*\\Program Files\\Windows Defender\\*.exe",
            "\\Device\\HarddiskVolume*\\Program Files (x86)\\Windows Defender\\*.exe",
            "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Security Client\\*.exe",
            "\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Security Client\\*.exe"
    )
  )
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Sub-technique:
- Name: Rename Legitimate Utilities
- ID: T1036.003
- Reference URL: https://attack.mitre.org/techniques/T1036/003/
Sub-technique:
- Name: Match Legitimate Resource Name or Location
- ID: T1036.005
- Reference URL: https://attack.mitre.org/techniques/T1036/005/
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
Sub-technique:
- Name: DLL
- ID: T1574.001
- Reference URL: https://attack.mitre.org/techniques/T1574/001/

« Potential DLL Side-Loading via Trusted Microsoft Programs Executable File Creation with Multiple Extensions »