List Defender Discovery Activities
Defender Discovery Activities
Query
let ProcessBased = DeviceProcessEvents
| where ProcessCommandLine has "Get-MpPreference"
| extend Table = "DeviceProcessEvents"
| project-reorder Table, Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName;
let EventBased = DeviceEvents
| extend Command = parse_json(AdditionalFields).Command
| where Command == "Get-MpPreference"
| extend ScriptLocation = extract(@"literalPath '(.*?)'", 0, InitiatingProcessCommandLine)
| extend Table = "DeviceEvents"
| project-reorder Table, Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation;
union ProcessBased, EventBasedAbout this query
Explanation
This query is designed to identify activities related to the use of the Get-MpPreference command, which is a PowerShell function used to list preferences for Windows Defender scans and updates, including any configured exclusions. The query is relevant to the MITRE ATT&CK technique T1518.001, which involves discovering security software settings.
Key Points:
- Purpose: The query aims to detect when the
Get-MpPreferencecommand is executed, as adversaries might use this information to understand security software configurations and potentially exploit exclusions to execute malicious code. - Components:
- ProcessBased: This part of the query looks at
DeviceProcessEventsto find instances where the command line includesGet-MpPreference. It organizes the results by table name, timestamp, device name, process command line, and the initiating process file name. - EventBased: This part examines
DeviceEventsto identify when theGet-MpPreferencecommand is executed. It extracts the script location from the initiating process command line and organizes the results similarly to the ProcessBased component.
- ProcessBased: This part of the query looks at
- Union: The results from both
ProcessBasedandEventBasedare combined to provide a comprehensive view of all occurrences of theGet-MpPreferencecommand execution.
Risk:
- Adversaries can exploit the information obtained from
Get-MpPreferenceto bypass security measures by abusing exclusions, potentially allowing them to execute malicious content undetected.
Considerations:
- False positives may occur if legitimate administrators are configuring or listing settings using this command.
References:
- The query references official Microsoft documentation and a blog post on creating persistent Defender AV exclusions to bypass endpoint detection.
