LoFP LoFP / some legitimate system maintenance tools or security scanners may download updates using wininet and write to inetcache with similar naming patterns. filter alerts when these tools are verified and approved.

Techniques

Sample rules

Windows Suspicious Defender Update Activity in INetCache

Description

Detects a non-Defender process writing mpam-fe*.exe to the Windows Internet Cache (INetCache). BlueHammer downloads the WD signature update package directly using WinINet as a low-privileged user. The [1].exe naming suffix is produced by Windows HTTP caching and is a reliable artifact of this download method.

Detection logic

`sysmon`
EventID IN ("11","23")
TargetFilename="*\\INetCache*"
TargetFilename="*\\mpam-fe[1].exe*"
NOT Image IN (
    "*:\\Program Files\\Windows Defender*",
    "*:\\ProgramData\\Microsoft\\Windows Defender*",
    "*:\\Windows\\System32\\MpSigStub.exe*"
)

| fillnull

| rename Computer as dest

| stats count by dest TargetFilename Image EventID
                 action file_name file_path process_guid
                 process_id user vendor_product

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_defender_update_activity_in_inetcache_filter`