EXPLORE
← Back to Explore
splunk_escuAnomaly

Powershell Remove Windows Defender Directory

The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing "rmdir" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.

Detection Query

`powershell`
EventCode=4104
ScriptBlockText = "*rmdir *"
ScriptBlockText = "*\\Microsoft\\Windows Defender*"
| fillnull
| stats count min(_time) as firstTime
              max(_time) as lastTime
  by dest signature signature_id user_id
     vendor_product EventID Guid Opcode
     Name Path ProcessID
     ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_remove_windows_defender_directory_filter`

Author

Teoderick Contreras, Splunk

Data Sources

Powershell Script Block Logging 4104
Raw Content
name: Powershell Remove Windows Defender Directory
id: adf47620-79fa-11ec-b248-acde48001122
version: 17
creation_date: '2022-01-20'
modification_date: '2026-06-29'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: |-
    The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory.
    It leverages PowerShell Script Block Logging to identify commands containing "rmdir" and targeting the Windows Defender path.
    This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component.
    If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell`
    EventCode=4104
    ScriptBlockText = "*rmdir *"
    ScriptBlockText = "*\\Microsoft\\Windows Defender*"
    | fillnull
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
      by dest signature signature_id user_id
         vendor_product EventID Guid Opcode
         Name Path ProcessID
         ScriptBlockId ScriptBlockText
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `powershell_remove_windows_defender_directory_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
drilldown_searches:
    - name: View the detection results for - "$Computer$" and "$user$"
      search: '%original_detection_search% | search  Computer = "$Computer$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$Computer$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A suspicious powershell script with the ScriptBlockId [$ScriptBlockId$] containing rmdir commands to potentially delete the Windows Defender directory was executed on host $dest$ by user $user_id$
        - field: user_id
          type: user
          score: 20
          message: A suspicious powershell script with the ScriptBlockId [$ScriptBlockId$] containing rmdir commands to potentially delete the Windows Defender directory was executed on host $dest$ by user $user_id$
analytic_story:
    - Data Destruction
    - WhisperGate
asset_type: Endpoint
mitre_attack_id:
    - T1685
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit