KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Tamper Protection

Query

name : MDE Tamper Protection
source : https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/02-kql-MDE-TamperProtection.md
query: |
    //Counts how many times 'TamperingAttempt' happened to each device.
    DeviceEvents
    | where Timestamp > ago(30d)
    | where ActionType == "TamperingAttempt"
    | summarize TamperingAttempt = count() by DeviceId, DeviceName


    //Counts how many times 'TamperingAttempt' occurred and indicates which registry value impacted each device.
    DeviceEvents
    | where Timestamp > ago(30d)
    | where ActionType == "TamperingAttempt"
    | summarize Registry_Value = make_list(RegistryValueName) by DeviceId, DeviceName


    //Hunt for registry key activities for Microsoft Defender Antivirus.
    DeviceRegistryEvents
    | where Timestamp > ago(30d)
    | where RegistryKey has @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
    | project-reorder Timestamp, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData
    | sort by Timestamp desc 


    //Hunt for disabling activities for Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
    DeviceEvents
    | where Timestamp > ago(30d)
    | where ActionType == "OtherAlertRelatedActivity"
    | where AdditionalFields has "net stop Sense"
    or AdditionalFields has "sc stop Sense"
    or AdditionalFields has "net stop WinDefend"
    or AdditionalFields has "sc stop WinDefend"
    | extend Command = split(AdditionalFields, 'line')[1]
    | project-reorder Timestamp, DeviceId, DeviceName, Command

Explanation

The query is used to analyze and monitor tampering attempts and registry key activities related to Microsoft Defender Antivirus and Microsoft Defender for Endpoint. It counts the number of tampering attempts and identifies the impacted registry values for each device. It also hunts for registry key activities and disabling activities for the mentioned antivirus programs. The query filters the data based on a specific time range and retrieves relevant fields for analysis.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: March 29, 2023

Tables

DeviceEventsDeviceRegistryEvents

Keywords

DeviceEvents,Timestamp,ago,ActionType,TamperingAttempt,count,DeviceId,DeviceName,Registry_Value,make_list,RegistryValueName,DeviceRegistryEvents,RegistryKey,project-reorder,Timestampdesc,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueType,RegistryValueName,RegistryValueData,sort,DeviceEvents,OtherAlertRelatedActivity,AdditionalFields,netstopSense,scstopSense,netstopWinDefend,scstopWinDefend,extend,split,Command,project-reorder

Operators

toscalar()arg_max()count()mv-expandwheresummarizemake_list()project-reordersortextendsplit()

Actions