Query Details

MDE - Defender Antivirus Exclusion Enumeration

MDE Defender Exclusions Enumerations

Query

let arguments = dynamic(['ScanType 3 -File',"-CheckExclusion"]);
DeviceProcessEvents
| where FileName == "MpCmdRun.exe"
| where ProcessCommandLine has_any (arguments)
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| summarize Count = count(), Commands = make_set(ProcessCommandLine) by bin(TimeGenerated,1m), DeviceName
// exclude threshold or tune as per your needs
// | where Count > 1

About this query

MDE - Defender Antivirus Exclusion Enumeration

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1564.012Defense Evasion: Hide Artifacts: File/Path Exclusionshttps://attack.mitre.org/techniques/T1564/012/

Description

Use the below query to identify Defender Antivirus Exclusion Path enumeration activities that use the mpcmdrun.exe

References

Microsoft Sentinel

Explanation

This query is designed to detect activities related to the enumeration of exclusion paths in Microsoft Defender Antivirus. Specifically, it looks for instances where the mpcmdrun.exe process is used with certain command-line arguments that indicate an attempt to check or list exclusion paths. Here's a breakdown of the query:

  1. Purpose: The query identifies when the mpcmdrun.exe tool is used to check for or list file/path exclusions in Microsoft Defender Antivirus. This is relevant to the MITRE ATT&CK technique T1564.012, which involves hiding artifacts by excluding certain files or paths from antivirus scans.

  2. Key Components:

    • arguments: A list of specific command-line arguments ('ScanType 3 -File' and "-CheckExclusion") that are associated with checking exclusions.
    • DeviceProcessEvents: The data source that logs process events on devices.
    • where FileName == "MpCmdRun.exe": Filters the events to only include those where the process name is MpCmdRun.exe.
    • where ProcessCommandLine has_any (arguments): Further filters the events to include only those where the command line contains any of the specified arguments.
    • project: Selects specific fields to display: TimeGenerated, DeviceName, FileName, and ProcessCommandLine.
    • summarize: Aggregates the data by counting the number of occurrences and grouping command lines by minute and device name.
  3. Output: The query results show the number of times these exclusion-checking commands were run per minute on each device, along with the specific command lines used.

  4. Customization: There is a commented-out line (// | where Count > 1) that can be used to filter the results further, showing only instances where the command was run more than once, which might indicate suspicious activity.

Overall, this query helps security analysts monitor and investigate potential misuse of Defender Antivirus exclusions, which could be a tactic for evading detection.

Details

Alex Verboon profile picture

Alex Verboon

Released: October 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimeGeneratedNameFileCommandLineCountCommands

Operators

letdynamicwherehas_anyprojectsummarizecountmake_setbin

MITRE Techniques

Actions

GitHub