Query Details
System Restore Disabled
Query
//Attempts to stop System Restore and prevent the system from creating restore point. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'rundll32.exe'
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
and FileName in~ ('schtasks.exe')
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
Explanation
This query is looking for events where a process called "rundll32.exe" is being used to run a command that includes the words "Change," "SystemRestore," and "disable." These events are related to the "schtasks.exe" file and are likely attempts to stop System Restore and prevent the creation of restore points. The query is specifically focused on events related to Defender for Endpoint connected to Sentinel.
Details
Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,InitiatingProcessFileName,InitiatingProcessCommandLine,FileName,ProcessCommandLine,Change,SystemRestore,disable
Operators
where=~!contains!=in~has