EDR Chocking Detection
Query
let EDR_Processes = dynamic([
"SenseIR.exe", "MsSense.exe", "MsMpEng.exe", "WinDefend.exe",
"falcon-sensor.exe", "CSFalconService.exe",
"SentinelService.exe", "SentinelAgent.exe",
"CortexXDR.exe", "cyvera.exe", "pmsu.exe",
"cb.exe", "carbonblack.exe",
"edragent.exe", "HarfangLab.exe", "elastic-agent.exe"
]);
DeviceProcessEvents
| where ProcessCommandLine has "New-NetQosPolicy"
or ProcessCommandLine has "Set-NetQosPolicy"
| where ProcessCommandLine has_any(EDR_Processes)
| extend SuspectActivity = "QoS Policy Creation via Command Line"
| extend AccountName = InitiatingProcessAccountName
| project TimeGenerated, DeviceName, AccountName,
InitiatingProcessFileName, ProcessCommandLine, SuspectActivity,
DeviceId
| union (
DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\"
or RegistryKey startswith @"HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\QoS\"
| where RegistryValueName in ("Application Name", "DSCP Value", "Throttle Rate")
| where tostring(RegistryValueData) has_any(EDR_Processes)
| extend SuspectActivity = strcat("QoS Registry Manipulation targeting: ", tostring(RegistryValueData))
| extend AccountName = InitiatingProcessAccountName
| project TimeGenerated, DeviceName, AccountName,
InitiatingProcessFileName,
ProcessCommandLine = "N/A (Registry Modification)",
SuspectActivity, DeviceId
)
| order by TimeGenerated descAbout this query
Explanation
This query is designed to detect suspicious activities on Windows systems that may indicate an attempt to interfere with Endpoint Detection and Response (EDR) processes. Specifically, it looks for two types of activities:
-
Command-Line Executions: It searches for the use of commands
New-NetQosPolicyorSet-NetQosPolicyin the command line. These commands are related to Quality of Service (QoS) policies, which manage network traffic priorities. The query checks if these commands are used in conjunction with the names of known EDR processes. This could suggest an attempt to manipulate network settings to affect the performance or functionality of EDR tools. -
Registry Modifications: It monitors changes to registry keys associated with QoS policies. The query looks for modifications where the registry value data includes the name of an EDR process. This might indicate an attempt to alter network settings at the registry level to impact EDR operations.
The query outputs details such as the time of the event, device name, account name, and the specific suspicious activity detected. It helps security teams identify potential threats where adversaries might be trying to degrade or disrupt EDR capabilities by manipulating network traffic priorities.
