Techniques
Sample rules
Windows Suspicious Defender Engine or Signature Files Created
- source: splunk
- technicques:
Description
Detects Windows Defender engine (mpengine.dll) or signature database files (*.vdm) being created by any process that is not a Windows Defender component. BlueHammer extracts these files from the downloaded mpam-fe update package into a UUID-named subdirectory of %TEMP% as part of staging the TOCTOU privilege escalation.
Detection logic
`sysmon` EventID="11"
TargetFilename IN (
"*\\mpasbase.vdm*",
"*\\mpasdlta.vdm*",
"*\\mpavbase.vdm*",
"*\\mpavdlta.vdm*",
"*\\mpengine.dll*"
)
NOT Image IN (
"*:\\ProgramData\\Microsoft\\Windows Defender\\*",
"*:\\Program Files\\Windows Defender\\*"
)
| fillnull
| rename Computer as dest
| stats count by dest TargetFilename Image EventID
action file_name file_path process_guid
process_id user vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_defender_engine_or_signature_files_created_filter`