Query Details

Defendnot Detection

Query

// https://emsroute.com/2025/05/23/why-defendnot-is-a-wakeup-call-a-ground-level-analysis/
// https://github.com/es3n1n/defendnot
// https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques

// Remember to set the query period - v2 detection 

let AvModeDescription = dynamic({"0":"Normal", "1":"Passive", "4":"EDR Block"});
let DeviceEDRPassive =
DeviceTvmInfoGathering
| extend AdditionalFields = parse_json(AdditionalFields)
| extend AvEngineVersion = tostring(AdditionalFields.["AvEngineVersion"])
| extend AvPlatformVersion = tostring(AdditionalFields.["AvPlatformVersion"])
| extend AvMode =  tostring(AvModeDescription[tostring(AdditionalFields.["AvMode"])])
| where isnotempty( AvMode ) and AvMode == "Passive"
| distinct DeviceName;
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName has "ctx.bin"
| where DeviceName has_any(DeviceEDRPassive)

Explanation

This KQL (Kusto Query Language) query is designed to identify specific security-related events on devices that are operating in a "Passive" mode. Here's a breakdown of what the query does in simple terms:

  1. Define AvModeDescription: A mapping is created to translate numerical values into descriptive text for different antivirus modes. For example, "0" is "Normal", "1" is "Passive", and "4" is "EDR Block".

  2. Identify Passive Mode Devices:

    • The query looks at the DeviceTvmInfoGathering table to gather information about devices.
    • It extracts additional fields like AvEngineVersion, AvPlatformVersion, and AvMode from the AdditionalFields JSON.
    • It converts the AvMode number into a descriptive text using the AvModeDescription mapping.
    • It filters the results to only include devices where the antivirus mode is "Passive".
    • It then creates a distinct list of device names that are in "Passive" mode.
  3. Detect Specific File Creation Events:

    • The query then looks at the DeviceFileEvents table to find events where a file named "ctx.bin" was created.
    • It filters these events to only include those that occurred on devices identified as being in "Passive" mode.

In summary, this query identifies devices running in a "Passive" antivirus mode and checks if any of these devices have had a file named "ctx.bin" created on them. This could be part of an investigation into potential security bypass techniques, as indicated by the provided URLs.

Details

Steven Lim profile picture

Steven Lim

Released: May 26, 2025

Tables

DeviceTvmInfoGatheringDeviceFileEvents

Keywords

DeviceTvmInfoGatheringFileEventsActionTypeName

Operators

letdynamicextendparse_jsontostringwhereisnotemptydistincthashas_any

Actions

GitHub