KQL Search

Query Details

HomeAI ToolsDevice Query

Defendnot Detection

Query

// https://emsroute.com/2025/05/23/why-defendnot-is-a-wakeup-call-a-ground-level-analysis/
// https://github.com/es3n1n/defendnot

// Remember to set the query period

let AvModeDescription = dynamic({"0":"Normal", "1":"Passive", "4":"EDR Block"});
let DeviceEDRPassive =
DeviceTvmInfoGathering
| extend AdditionalFields = parse_json(AdditionalFields)
| extend AvEngineVersion = tostring(AdditionalFields.["AvEngineVersion"])
| extend AvPlatformVersion = tostring(AdditionalFields.["AvPlatformVersion"])
| extend AvMode =  tostring(AvModeDescription[tostring(AdditionalFields.["AvMode"])])
| where isnotempty( AvMode ) and AvMode == "Passive"
| distinct DeviceName;
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SOFTWARE\\Microsoft\\Security Center\\Provider\\Av"
| where DeviceName has_any(DeviceEDRPassive)

Explanation

This KQL (Kusto Query Language) query is designed to identify devices that are in "Passive" mode for their antivirus settings and then check for specific registry changes related to antivirus providers on those devices. Here's a simplified breakdown of what the query does:

  1. Define Antivirus Modes: The query starts by defining a mapping of antivirus mode codes to their descriptions. Specifically, it maps "0" to "Normal", "1" to "Passive", and "4" to "EDR Block".

  2. Identify Devices in Passive Mode:

    • It queries the DeviceTvmInfoGathering table to extract additional fields related to antivirus settings.
    • It checks if the antivirus mode is set to "Passive" for each device.
    • It creates a list of distinct device names that are in "Passive" mode.

  3. Check Registry Changes:

    • It queries the DeviceRegistryEvents table to find events where a registry value was set.
    • It filters these events to focus on changes made to registry keys related to antivirus providers.
    • It further filters the results to include only those events that occurred on devices identified as being in "Passive" mode.

In summary, this query is used to find devices with antivirus software running in "Passive" mode and then checks if there have been any registry changes related to antivirus providers on those devices.

Details

Steven Lim profile picture

Steven Lim

Released: May 23, 2025

Tables

DeviceTvmInfoGatheringDeviceRegistryEvents

Keywords

DeviceTvmInfoGatheringDeviceRegistryEventsActionTypeRegistryKeyDeviceNameAvEngineVersionAvPlatformVersionAvModeAdditionalFields

Operators

letdynamicextendparse_jsontostringisnotemptywhereanddistincthashas_any

Actions