Query Details

EDR Chocking Detection

Query

let EDR_Processes = dynamic([
    "SenseIR.exe", "MsSense.exe", "MsMpEng.exe", "WinDefend.exe",
    "falcon-sensor.exe", "CSFalconService.exe",
    "SentinelService.exe", "SentinelAgent.exe",
    "CortexXDR.exe", "cyvera.exe", "pmsu.exe",
    "cb.exe", "carbonblack.exe",
    "edragent.exe", "HarfangLab.exe", "elastic-agent.exe"
]);
DeviceProcessEvents
| where ProcessCommandLine has "New-NetQosPolicy"
    or ProcessCommandLine has "Set-NetQosPolicy"
| where ProcessCommandLine has_any(EDR_Processes)
| extend SuspectActivity = "QoS Policy Creation via Command Line"
| extend AccountName = InitiatingProcessAccountName
| project TimeGenerated, DeviceName, AccountName,
    InitiatingProcessFileName, ProcessCommandLine, SuspectActivity,
    DeviceId
| union (
    DeviceRegistryEvents
    | where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\"
        or RegistryKey startswith @"HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\QoS\"
    | where RegistryValueName in ("Application Name", "DSCP Value", "Throttle Rate")
    | where tostring(RegistryValueData) has_any(EDR_Processes)
    | extend SuspectActivity = strcat("QoS Registry Manipulation targeting: ", tostring(RegistryValueData))
    | extend AccountName = InitiatingProcessAccountName
    | project TimeGenerated, DeviceName, AccountName,
        InitiatingProcessFileName,
        ProcessCommandLine = "N/A (Registry Modification)",
        SuspectActivity, DeviceId
)
| order by TimeGenerated desc

About this query

Explanation

This query is designed to detect suspicious activities on Windows systems that may indicate an attempt to interfere with Endpoint Detection and Response (EDR) processes. Specifically, it looks for two types of activities:

  1. Command-Line Executions: It searches for the use of commands New-NetQosPolicy or Set-NetQosPolicy in the command line. These commands are related to Quality of Service (QoS) policies, which manage network traffic priorities. The query checks if these commands are used in conjunction with the names of known EDR processes. This could suggest an attempt to manipulate network settings to affect the performance or functionality of EDR tools.

  2. Registry Modifications: It monitors changes to registry keys associated with QoS policies. The query looks for modifications where the registry value data includes the name of an EDR process. This might indicate an attempt to alter network settings at the registry level to impact EDR operations.

The query outputs details such as the time of the event, device name, account name, and the specific suspicious activity detected. It helps security teams identify potential threats where adversaries might be trying to degrade or disrupt EDR capabilities by manipulating network traffic priorities.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 7, 2026

Tables

DeviceProcessEventsDeviceRegistryEvents

Keywords

DevicesEDRProcessesRegistryWindowsPoliciesNetworkCommandLine

Operators

letdynamichasorhas_anyextendprojectunionstartswithintostringstrcatorder by

MITRE Techniques

Actions

GitHub