This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-01-18
- Author: Teoderick Contreras, Splunk
- ID: adf47620-79fa-11ec-b248-acde48001122
Kill Chain Phase
- CIS 3
- CIS 5
- CIS 16
1 2 3 4 5 `powershell` EventCode=4104 Message = "*rmdir *" AND Message = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`
The SPL above uses the following Macros:
Note that powershell_remove_windows_defender_directory_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/126.96.36.199/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
Associated Analytic story
|90.0||100||90||suspicious powershell script $Message$ was executed on the $ComputerName$|
source | version: 2