Techniques
Sample rules
Windows Suspicious Defender Update Activity in INetCache
- source: splunk
- technicques:
Description
Detects a non-Defender process writing mpam-fe*.exe to the Windows Internet Cache (INetCache). BlueHammer downloads the WD signature update package directly using WinINet as a low-privileged user. The [1].exe naming suffix is produced by Windows HTTP caching and is a reliable artifact of this download method.
Detection logic
`sysmon`
EventID IN ("11","23")
TargetFilename="*\\INetCache*"
TargetFilename="*\\mpam-fe[1].exe*"
NOT Image IN (
"*:\\Program Files\\Windows Defender*",
"*:\\ProgramData\\Microsoft\\Windows Defender*",
"*:\\Windows\\System32\\MpSigStub.exe*"
)
| fillnull
| rename Computer as dest
| stats count by dest TargetFilename Image EventID
action file_name file_path process_guid
process_id user vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_defender_update_activity_in_inetcache_filter`