LoFP / windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.

Techniques

• T1485

Sample rules

Excessive File Deletion In WinDefender Folder

• source: splunk
• technicques:
  • T1485

Description

The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.

Detection logic

`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*" 
| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid 
| rename Image as process 
| where count >=50 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `excessive_file_deletion_in_windefender_folder_filter`