LoFP LoFP / some legitimate software updates or security tools may create windows defender engine or signature files in user temp folders during scanning or updating processes. filter detections for trusted update utilities and system maintenance tasks.

Techniques

Sample rules

Windows Suspicious Defender Engine or Signature Files Created

Description

Detects Windows Defender engine (mpengine.dll) or signature database files (*.vdm) being created by any process that is not a Windows Defender component. BlueHammer extracts these files from the downloaded mpam-fe update package into a UUID-named subdirectory of %TEMP% as part of staging the TOCTOU privilege escalation.

Detection logic

`sysmon` EventID="11"
TargetFilename IN (
    "*\\mpasbase.vdm*",
    "*\\mpasdlta.vdm*",
    "*\\mpavbase.vdm*",
    "*\\mpavdlta.vdm*",
    "*\\mpengine.dll*"
)
NOT Image IN (
    "*:\\ProgramData\\Microsoft\\Windows Defender\\*",
    "*:\\Program Files\\Windows Defender\\*"
)

| fillnull

| rename Computer as dest

| stats count by dest TargetFilename Image EventID
                 action file_name file_path process_guid
                 process_id user vendor_product


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_defender_engine_or_signature_files_created_filter`