Skip to content

Hide Navigation Hide TOC

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution (02b18447-ea83-4b1b-8805-714a8a34546a)

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution (02b18447-ea83-4b1b-8805-714a8a34546a) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1