Techniques
Sample rules
Excessive File Deletion In WinDefender Folder
- source: splunk
- technicques:
- T1485
Description
The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.
Detection logic
`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*"
| stats count min(_time) as firstTime, max(_time) as lastTime values(file_path) as file_path values(file_hash) as file_hash values(file_name) as file_name values(file_modify_time) as file_modify_time values(process_name) as process_name values(process_path) as process_path values(process_guid) as process_guid values(process_id) as process_id values(process_exec) as process_exec by action dest dvc signature signature_id user user_id vendor_product
| where count >=50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_file_deletion_in_windefender_folder_filter`