Techniques
Sample rules
Excessive File Deletion In WinDefender Folder
- source: splunk
- technicques:
- T1485
Description
This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft’s advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation.
Detection logic
`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*"
| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid
| rename Image as process
| where count >=50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_file_deletion_in_windefender_folder_filter`