Query Details
MDE Defender Antivirus Exclusions
Query
# Defender Antivirus - Exclusions ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1562.001 | Impair Defenses: Disable or Modify Tools | https://attack.mitre.org/techniques/T1562/001/ | ### Description Use the below queries to identify Defender Antivirus exclusions modifications #### References ### Microsoft 365 Defender Defender Antivirus Exclusions modifications ```kql DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey startswith 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions' ``` Defender Antivirus exclusions - Alert ```kql AlertInfo | where Title == "Suspicious Microsoft Defender Antivirus exclusion" | join AlertEvidence on $left. AlertId == $right.AlertId | project-reorder Timestamp, AlertId, DetectionSource, EntityType, EvidenceRole, FileName, FolderPath, RegistryKey, RegistryValueName, RegistryValueData ```
Explanation
The first query identifies modifications made to Defender Antivirus exclusions in the Windows registry. It looks for registry value sets in the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions' key.
The second query is used to generate an alert for suspicious Defender Antivirus exclusions. It joins the AlertInfo and AlertEvidence tables based on the AlertId and then selects specific columns for the alert, such as the timestamp, alert ID, detection source, entity type, evidence role, file name, folder path, registry key, registry value name, and registry value data.
Details
Alex Verboon
Released: September 23, 2023
Tables
DeviceRegistryEventsAlertInfoAlertEvidence
Keywords
DeviceRegistryEvents,ActionType,RegistryValueSet,RegistryKey,HKEY_LOCAL_MACHINE,SOFTWARE,Microsoft,WindowsDefender,Exclusions,AlertInfo,Title,SuspiciousMicrosoftDefenderAntivirusexclusion,join,AlertEvidence,AlertId,DetectionSource,EntityType,EvidenceRole,FileName,FolderPath,RegistryValueName,RegistryValueData
Operators
|where==startswithjoin$left.$right.project-reorder