Query Details

List Defender Discovery Activities

Defender Discovery Activities

Query

let ProcessBased = DeviceProcessEvents
| where ProcessCommandLine has "Get-MpPreference"
| extend Table = "DeviceProcessEvents"
| project-reorder Table, Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName;
let EventBased = DeviceEvents
| extend Command = parse_json(AdditionalFields).Command
| where  Command == "Get-MpPreference"
| extend ScriptLocation = extract(@"literalPath '(.*?)'", 0, InitiatingProcessCommandLine)
| extend Table = "DeviceEvents"
| project-reorder Table, Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation;
union ProcessBased, EventBased

About this query

Explanation

This query is designed to identify activities related to the use of the Get-MpPreference command, which is a PowerShell function used to list preferences for Windows Defender scans and updates, including any configured exclusions. The query is relevant to the MITRE ATT&CK technique T1518.001, which involves discovering security software settings.

Key Points:

  • Purpose: The query aims to detect when the Get-MpPreference command is executed, as adversaries might use this information to understand security software configurations and potentially exploit exclusions to execute malicious code.
  • Components:
    • ProcessBased: This part of the query looks at DeviceProcessEvents to find instances where the command line includes Get-MpPreference. It organizes the results by table name, timestamp, device name, process command line, and the initiating process file name.
    • EventBased: This part examines DeviceEvents to identify when the Get-MpPreference command is executed. It extracts the script location from the initiating process command line and organizes the results similarly to the ProcessBased component.
  • Union: The results from both ProcessBased and EventBased are combined to provide a comprehensive view of all occurrences of the Get-MpPreference command execution.

Risk:

  • Adversaries can exploit the information obtained from Get-MpPreference to bypass security measures by abusing exclusions, potentially allowing them to execute malicious content undetected.

Considerations:

  • False positives may occur if legitimate administrators are configuring or listing settings using this command.

References:

  • The query references official Microsoft documentation and a blog post on creating persistent Defender AV exclusions to bypass endpoint detection.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEventsDeviceEvents

Keywords

Devices

Operators

let|wherehasextendproject-reorderparse_jsonextractunion

MITRE Techniques

Actions

GitHub