Query Details
Defender Script Scanning Disable Detection
Query
//This query detects attempts to disable Microsoft Defender's script scanning functionality //Monitors registry modifications to Real-Time Protection settings DeviceRegistryEvents | where Timestamp >= ago(7d) | where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Microsoft Antimalware\\Real-Time Protection" | where RegistryValueName == "DisableScriptScanning" | where RegistryValueType == "Dword" | where RegistryValueData == 1 | where IsInitiatingProcessRemoteSession == true
Explanation
This query is designed to identify any attempts to turn off the script scanning feature of Microsoft Defender within the last 7 days. It specifically looks for changes made to a particular registry key that controls real-time protection settings. The query filters for:
- Events from the past week.
- Modifications to the registry key related to Microsoft Defender's real-time protection.
- Changes where the specific setting "DisableScriptScanning" is altered.
- The change is of type "Dword" and the value is set to 1, indicating that script scanning has been disabled.
- The modification was initiated from a remote session, suggesting potential unauthorized access.
Details
Emre Ay
Released: November 10, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsTimestampRegistryKeyRegistryValueNameRegistryValueTypeRegistryValueDataIsInitiatingProcessRemoteSession
Operators
DeviceRegistryEvents|where>=ago================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================,