KQL Search

Query Details

MDE Tampering

Query

# Microsoft Defender for Endpoint - Tamper Protection

## Query Information

### Description

Use the below queries to find Microsoft Defender tampering attempts

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.001 | Disable or Modify Tools | https://attack.mitre.org/techniques/T1562/001/ |

#### References

- [Introducing tamper protection for exclusions](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-tamper-protection-for-exclusions/ba-p/3713761)

- [Protect security settings with tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide)

- [Current limits of Defender AV Tamper Protection](https://cloudbrothers.info/en/current-limits-defender-av-tamper-protection/)

### Microsoft 365 Defender

```kql
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType == @"TamperingAttempt"
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF,columnsConflict='keep_source') : (DeviceName:string,TimeGenerated:datetime,ActionType:string,Status:string, TamperingAction:long,Target:string)
```

Explanation

This query is used to find tampering attempts in Microsoft Defender for Endpoint. It retrieves device events from the past 30 days where the ActionType is "TamperingAttempt". It then unpacks additional fields and evaluates the results, including the device name, time generated, action type, status, tampering action, and target.

Details

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DeviceEvents,TimeGenerated,ActionType,TamperingAttempt,AF,DeviceName,Status,TamperingAction,Target

Operators

whereago==extendparse_jsonevaluatebag_unpackcolumnsConflict

KQL Search

MDE Tampering

Query

Explanation

Details

Actions