GitHub Repo

Detection: Windows Suspicious Defender Engine or Signature Files Created

Updated Date: 2026-04-27 ID: 42e848eb-1d5f-4ffb-88c2-088c4a6fdfb3 Author: Raven Tait, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

Detects Windows Defender engine (mpengine.dll) or signature database files (*.vdm) being created by any process that is not a Windows Defender component. BlueHammer extracts these files from the downloaded mpam-fe update package into a UUID-named subdirectory of %TEMP% as part of staging the TOCTOU privilege escalation.

 1`sysmon` EventID="11"
 2TargetFilename IN (
 3    "*\\mpasbase.vdm*",
 4    "*\\mpasdlta.vdm*",
 5    "*\\mpavbase.vdm*",
 6    "*\\mpavdlta.vdm*",
 7    "*\\mpengine.dll*"
 8)
 9NOT Image IN (
10    "*:\\ProgramData\\Microsoft\\Windows Defender\\*",
11    "*:\\Program Files\\Windows Defender\\*"
12)
13
14| fillnull
15
16| rename Computer as dest
17
18| stats count by dest TargetFilename Image EventID
19                 action file_name file_path process_guid
20                 process_id user vendor_product
21
22
23| `security_content_ctime(firstTime)`
24
25| `security_content_ctime(lastTime)`
26
27| `windows_suspicious_defender_engine_or_signature_files_created_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 11 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_suspicious_defender_engine_or_signature_files_created_filter search *
windows_suspicious_defender_engine_or_signature_files_created_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
Exploitation
DE.AE
CIS 10

CVE

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Some legitimate software updates or security tools may create Windows Defender engine or signature files in user temp folders during scanning or updating processes. Filter detections for trusted update utilities and system maintenance tasks.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Windows Defender Engine or Signature file $file_path$ created by Non-Defender Process $Image$ on $dest$. dest system 20

Threat Objects

Field Type
Image process

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1