← Back to Explore
splunk_escuAnomaly
Powershell Remove Windows Defender Directory
The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing "rmdir" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.
Detection Query
`powershell`
EventCode=4104
ScriptBlockText = "*rmdir *"
ScriptBlockText = "*\\Microsoft\\Windows Defender*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by dest signature signature_id user_id
vendor_product EventID Guid Opcode
Name Path ProcessID
ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_remove_windows_defender_directory_filter`Author
Teoderick Contreras, Splunk
Data Sources
Powershell Script Block Logging 4104
Raw Content
name: Powershell Remove Windows Defender Directory
id: adf47620-79fa-11ec-b248-acde48001122
version: 17
creation_date: '2022-01-20'
modification_date: '2026-06-29'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: |-
The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory.
It leverages PowerShell Script Block Logging to identify commands containing "rmdir" and targeting the Windows Defender path.
This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component.
If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.
data_source:
- Powershell Script Block Logging 4104
search: |-
`powershell`
EventCode=4104
ScriptBlockText = "*rmdir *"
ScriptBlockText = "*\\Microsoft\\Windows Defender*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by dest signature signature_id user_id
vendor_product EventID Guid Opcode
Name Path ProcessID
ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_remove_windows_defender_directory_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
drilldown_searches:
- name: View the detection results for - "$Computer$" and "$user$"
search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: dest
type: system
score: 20
message: A suspicious powershell script with the ScriptBlockId [$ScriptBlockId$] containing rmdir commands to potentially delete the Windows Defender directory was executed on host $dest$ by user $user_id$
- field: user_id
type: user
score: 20
message: A suspicious powershell script with the ScriptBlockId [$ScriptBlockId$] containing rmdir commands to potentially delete the Windows Defender directory was executed on host $dest$ by user $user_id$
analytic_story:
- Data Destruction
- WhisperGate
asset_type: Endpoint
mitre_attack_id:
- T1685
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog
test_type: unit