Bring Your Own Minifilter EDR Bypass
Query
//Detect Bring your own minifilter to bypass EDR.
// by default windows can defend against this by preventing unsigned drivers however SYSTEM and stolen certificates would bypass. EDR vendors should use minifilters with a high altitude
let Lookbackdays = 90d;
let BringYourOwnMiniFilter_bceditProcs = DeviceProcessEvents
| where TimeGenerated > ago(Lookbackdays)
| where ProcessCommandLine contains "becedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS" or ProcessCommandLine contains "bcedit.exe -set TESTSIGNINGON";
let BringYourOwnMiniFilter_ServiceCreation = DeviceProcessEvents
| where TimeGenerated > ago(Lookbackdays)
| where ProcessCommandLine contains @"sc create nullfilter type=filesys start=system binPath=C:\m.sys";
let BringYourOwnMiniFilter_registryKeychange = DeviceRegistryEvents
| where TimeGenerated > ago(Lookbackdays)
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"
| where (RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" and RegistryKey endswith @"\Instances\AltitudeAndFlags") or RegistryKey == @"HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing";
BringYourOwnMiniFilter_bceditProcs
| union BringYourOwnMiniFilter_ServiceCreation
| union BringYourOwnMiniFilter_registryKeychangeExplanation
This query is designed to detect potential attempts to bypass Endpoint Detection and Response (EDR) systems by using unauthorized minifilter drivers. Here's a simplified breakdown of what the query does:
-
Lookback Period: It examines events from the past 90 days.
-
Detecting Command Line Activity:
- It searches for processes that have executed specific commands related to disabling integrity checks or enabling test signing for drivers. These commands are typically used to allow the loading of unsigned drivers, which could be malicious.
-
Detecting Service Creation:
- It looks for the creation of a specific service named "nullfilter" that could be used to load unauthorized drivers.
-
Detecting Registry Changes:
- It checks for changes in the Windows registry that could indicate attempts to manipulate driver signing policies or alter minifilter driver settings.
-
Combining Results:
- The query combines results from all three detection methods (command line activity, service creation, and registry changes) to provide a comprehensive view of potential security threats related to unauthorized minifilter drivers.
Overall, this query aims to identify suspicious activities that could indicate an attempt to bypass security measures by using custom or unauthorized drivers.
Details

Jay Kerai
Released: January 1, 2025
Tables
DeviceProcessEventsDeviceRegistryEvents
Keywords
DeviceProcessEventsDeviceRegistryEventsTimeGeneratedProcessCommandLineActionTypeRegistryKey
Operators
letagocontainsor==startswithandendswithunion