KQL Search

Query Details

HomeAI ToolsDevice Query

EXPLOIT No Defender Loader Detection

Query

# *No Defender Loader Detection*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.001 | Disable or Modify Tools: Antivirus | https://attack.mitre.org/techniques/T1562/001/ |

#### Description
This KQL query is designed to detect activity associated with the "no-defender-loader" (NDL) malware, which is known for its attempts to evade detection by disabling or manipulating Microsoft Defender.

#### Risk
Detection of no-defender-loader

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://github.com/es3n1n/no-defender
- https://www.virustotal.com/gui/file/f4652a2073f72a1fc64dfc08a3a56c258f30cc4737ab9feefb602d54ec4c68b5/behavior


## Defender XDR
```KQL
//no-defender-loader-detection
// Based on https://github.com/es3n1n/no-defender
// Indicators from https://www.virustotal.com/gui/file/f4652a2073f72a1fc64dfc08a3a56c258f30cc4737ab9feefb602d54ec4c68b5/behavior
let ndlFileCreate = DeviceFileEvents
| where FileName contains "ctx.bin"
//or SHA256 == "79e53d36a40951ab328e153bac9c1e3adf3330b45899345e645889b9046f06e0"
//or SHA256 == "de820b5e592cf456f6a4f8356195c4a335a51c6354ca7ac32ccd390e62d9becc"
or (ActionType == "FileCreated" and FolderPath in~ ("C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log","C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db", "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF22D.tmp", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF22D.tmp.csv", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF2AB.tmp", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF2AB.tmp.txt") and FileName !endswith ".csv");
let ndlFileDelete = DeviceFileEvents 
| where (ActionType == "FileDeleted" and FolderPath has_any ("C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF22D.tmp","C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WERF2AB.tmp"));
let ndlRegEventsCreate = DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Avast Software\\Avast\\ProgramFolder",  "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\{A16B3811-6333-49F6-89F3-3DB75D9D59B9}",  "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\{A8B1B530-930D-4F5A-B04B-4C388594DD4B}",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0005\\Linkage\\FilterList",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0006\\Linkage\\FilterList",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0007\\Linkage\\FilterList",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0008\\Linkage\\FilterList",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0009\\Linkage\\Export",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0009\\Linkage\\RootDevice",  "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0009\\Linkage\\UpperBind");
let ndlRegEventsDelete = DeviceRegistryEvents
| where ActionType == "RegistryKeyDeleted"
| where RegistryKey == "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Network\\NetCfgLockHolder";
ndlFileCreate
| union ndlFileDelete
| union ndlRegEventsCreate
| union ndlRegEventsDelete
```

Explanation

This KQL (Kusto Query Language) query is designed to detect suspicious activities associated with the "no-defender-loader" (NDL) malware. This malware is known for trying to evade detection by disabling or manipulating Microsoft Defender, a security tool.

Here's a simplified breakdown of what the query does:

  1. File Creation Detection: It looks for the creation of specific files that are indicative of the NDL malware. This includes files with the name "ctx.bin" or files created in specific system directories that are not typical for certain file types.

  2. File Deletion Detection: It checks for the deletion of files in certain temporary directories, which might suggest an attempt to cover tracks or remove evidence of malicious activity.

  3. Registry Modification Detection: It monitors changes to the Windows Registry, specifically looking for the setting of certain registry values that could indicate the presence of the NDL malware. These changes might be used to disable or alter the behavior of security tools like Microsoft Defender.

  4. Registry Deletion Detection: It also looks for the deletion of specific registry keys, which could be another tactic used by the malware to evade detection or disable security features.

The query combines these different checks to identify potential indicators of the NDL malware's presence on a system. By monitoring file and registry activities, it aims to detect and alert on behaviors that are characteristic of this malware's attempts to disable or manipulate security defenses.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 6, 2025

Tables

DeviceFileEventsDeviceRegistryEvents

Keywords

DeviceFileEventsDeviceRegistryEventsMicrosoftWindowsNetworkProgramDataRegistryKeyActionTypeFileNameFolderPath

Operators

letcontainsorin~!endswithhas_any==union

Actions