Query Details
Defender Discovery Activities
Query
# List Defender Discovery Activities ## List Defender Discovery Activities #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1518.001 | Software Discovery: Security Software Discovery| https://attack.mitre.org/techniques/T1518/001/ | #### Description This query lists the execution of Get-MpPreference, this function lists the preferences for the Windows Defender scans and updates, including the configured exclusions. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries can abuse exclusions to execute malicious code. False positives can be related to admins that configure/list certain settings. #### Risk Adversaries can use Get-MpPreference to list exclusions, those exclusions can be abused to execute malicious content. #### References - https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps - https://cloudbrothers.info/en/create-persistent-defender-av-exclusions-circumvent-defender-endpoint-detection/ ## Defender For Endpoint ```KQL let ProcessBased = DeviceProcessEvents | where ProcessCommandLine has "Get-MpPreference" | extend Table = "DeviceProcessEvents" | project-reorder Table, Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName; let EventBased = DeviceEvents | extend Command = parse_json(AdditionalFields).Command | where Command == "Get-MpPreference" | extend ScriptLocation = extract(@"literalPath '(.*?)'", 0, InitiatingProcessCommandLine) | extend Table = "DeviceEvents" | project-reorder Table, Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation; union ProcessBased, EventBased ``` ## Sentinel ```KQL let ProcessBased = DeviceProcessEvents | where ProcessCommandLine has "Get-MpPreference" | extend Table = "DeviceProcessEvents" | project-reorder Table, Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName; let EventBased = DeviceEvents | extend Command = parse_json(AdditionalFields).Command | where Command == "Get-MpPreference" | extend ScriptLocation = extract(@"literalPath '(.*?)'", 0, InitiatingProcessCommandLine) | extend Table = "DeviceEvents" | project-reorder Table, TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation; union ProcessBased, EventBased ```
Explanation
This query lists the execution of the Get-MpPreference command, which retrieves preferences for Windows Defender scans and updates. Adversaries can use this information to gather details about the security software on a target system and potentially exploit exclusions to execute malicious code. The query combines process-based and event-based data to provide a comprehensive list of Defender discovery activities.
Details
Bert-Jan Pals
Released: November 15, 2023
Tables
DeviceProcessEventsDeviceEvents
Keywords
Keywords:List,Defender,Discovery,Activities,MITREATT&CKTechnique,T1518.001,SoftwareDiscovery,SecuritySoftwareDiscovery,Get-MpPreference,preferences,WindowsDefender,scans,updates,configuredexclusions,Adversaries,information,automateddiscovery,shape,follow-onbehaviors,infects,target,attempts,actions,abuse,exclusions,execute,maliciouscode,Falsepositives,admins,configure,list,settings,Risk,listexclusions,abused,execute,maliciouscontent,References,PowerShell,module,defender,get-mppreference,view,windowsserver2022-ps,cloudbrothers,create,persistent,AV,circumvent,endpoint,detection,KQL,let,ProcessBased,DeviceProcessEvents,ProcessCommandLine,extend,Table,Timestamp,DeviceName,InitiatingProcessFileName,EventBased,DeviceEvents,Command,parse_json,AdditionalFields,ScriptLocation,extract,literalPath,union,TimeGenerated,InitiatingProcessCommandLine,InitiatingProcessParentFileName.
Operators
whereextendproject-reorderparse_jsonextractunion