Query Details
List Tampering Attempts
Query
# List Tampering Attempts ## Query Information #### Description This query lists all the tampering attempts that have been observed by each device. This means that tampering protection acted and blocked the action. The action may be suspicious itself. The rule will generate false positives, which need filtering based on your environment. #### Risk An adversary tries to disable security logging / monitoring to perform malicious activities undetected. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide ## Defender For Endpoint ``` DeviceEvents | where ActionType == "TamperingAttempt" | extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target) | summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName ``` ## Sentinel ``` DeviceEvents | where ActionType == "TamperingAttempt" | extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target) | summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName ```
Explanation
This query lists all the tampering attempts that have been observed by each device. It identifies when someone tries to disable security logging or monitoring in order to perform malicious activities undetected. The query provides information on the total number of tampering actions, the specific actions taken, the targets of the tampering, and other details such as registry names and initiating process command lines. It is important to note that there may be false positives that need to be filtered based on your specific environment.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceEvents
Keywords
Keywords:DeviceEvents,ActionType,TamperingAttempt,AdditionalFields,TamperingAction,Status,Target,TotalActions,Actions,Targets,RegistryNames,InitatingCommandLine,DeviceName
Operators
whereextendtostringparse_jsonsummarizecountmake_setby