KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Defender Exclusions Enumerations

Query

# MDE - Defender Antivirus Exclusion Enumeration

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1564.012 | Defense Evasion: Hide Artifacts: File/Path Exclusions | https://attack.mitre.org/techniques/T1564/012/ |

### Description

Use the below query to identify Defender Antivirus Exclusion Path enumeration activities that use the mpcmdrun.exe

#### References

- [Peeking Behind the Curtain: Finding Defender’s Exclusions](https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/)
- [Hide Artifacts: File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012/)

### Microsoft Sentinel

```kql
let arguments = dynamic(['ScanType 3 -File',"-CheckExclusion"]);
DeviceProcessEvents
| where FileName == "MpCmdRun.exe"
| where ProcessCommandLine has_any (arguments)
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| summarize Count = count(), Commands = make_set(ProcessCommandLine) by bin(TimeGenerated,1m), DeviceName
// exclude threshold or tune as per your needs
// | where Count > 1
```

Explanation

This query is designed to detect activities related to the enumeration of exclusion paths in Microsoft Defender Antivirus. Specifically, it looks for instances where the mpcmdrun.exe process is used with certain command-line arguments that indicate an attempt to check or list exclusion paths. Here's a breakdown of the query:

  1. Purpose: The query identifies when the mpcmdrun.exe tool is used to check for or list file/path exclusions in Microsoft Defender Antivirus. This is relevant to the MITRE ATT&CK technique T1564.012, which involves hiding artifacts by excluding certain files or paths from antivirus scans.

  2. Key Components:

    • arguments: A list of specific command-line arguments ('ScanType 3 -File' and "-CheckExclusion") that are associated with checking exclusions.
    • DeviceProcessEvents: The data source that logs process events on devices.
    • where FileName == "MpCmdRun.exe": Filters the events to only include those where the process name is MpCmdRun.exe.
    • where ProcessCommandLine has_any (arguments): Further filters the events to include only those where the command line contains any of the specified arguments.
    • project: Selects specific fields to display: TimeGenerated, DeviceName, FileName, and ProcessCommandLine.
    • summarize: Aggregates the data by counting the number of occurrences and grouping command lines by minute and device name.

  3. Output: The query results show the number of times these exclusion-checking commands were run per minute on each device, along with the specific command lines used.

  4. Customization: There is a commented-out line (// | where Count > 1) that can be used to filter the results further, showing only instances where the command was run more than once, which might indicate suspicious activity.

Overall, this query helps security analysts monitor and investigate potential misuse of Defender Antivirus exclusions, which could be a tactic for evading detection.

Details

Alex Verboon profile picture

Alex Verboon

Released: October 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimeGeneratedDeviceNameFileNameProcessCommandLineCountCommands

Operators

letdynamicwherehas_anyprojectsummarizecountmake_setbin

Actions