Query Details
Mp Cmd Run Custom Scan Path Detection
Query
//This query detects potential abuse of MpCmdRun.exe to discover AV exclusion paths //Looks for custom scan paths with wildcard pipe character DeviceProcessEvents | where FileName == "MpCmdRun.exe" | where ProcessCommandLine has "-Scan" and ProcessCommandLine has "-Scantype 3" and ProcessCommandLine contains @"|*" | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by Timestamp desc
Explanation
This query is designed to identify suspicious use of the MpCmdRun.exe program, which is part of Windows Defender, to potentially discover antivirus exclusion paths. Here's a breakdown of what it does:
-
Source of Data: It examines events related to device processes (
DeviceProcessEvents). -
Filter Criteria:
- It specifically looks for processes where the file name is
MpCmdRun.exe. - It checks if the command line used to run this process includes the
-Scanoption and a scan type of3(-Scantype 3), which indicates a custom scan. - It also looks for the presence of a wildcard pipe character (
|*) in the command line, which might be used to manipulate or discover paths.
- It specifically looks for processes where the file name is
-
Data Projection: The query selects and displays the following details:
Timestamp: When the event occurred.DeviceName: The name of the device where the event was logged.InitiatingProcessAccountName: The account name that initiated the process.ProcessCommandLine: The full command line that was used to runMpCmdRun.exe.
-
Ordering: The results are sorted by the timestamp in descending order, showing the most recent events first.
In simple terms, this query helps detect if someone is using MpCmdRun.exe in a potentially malicious way to find out which files or paths are excluded from antivirus scans, by looking for specific patterns in the command line arguments.
Details
Tom Rolvers
Released: November 10, 2024
Tables
Keywords
Operators