Query Details

List Tampering Attempts

Query

DeviceEvents
| where ActionType == "TamperingAttempt"
| extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target)
| summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName

About this query

List Tampering Attempts

Query Information

Description

This query lists all the tampering attempts that have been observed by each device. This means that tampering protection acted and blocked the action. The action may be suspicious itself. The rule will generate false positives, which need filtering based on your environment.

Risk

An adversary tries to disable security logging / monitoring to perform malicious activities undetected.

References

Defender XDR

Sentinel

DeviceEvents
| where ActionType == "TamperingAttempt"
| extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target)
| summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName

Explanation

This query is designed to identify and list any attempts to tamper with security settings on devices. It focuses on actions that have been blocked by tamper protection, which is a security feature intended to prevent unauthorized changes to security settings. The query provides a summary of these tampering attempts for each device, including:

  • The total number of tampering actions observed.
  • The types of tampering actions attempted.
  • The specific targets of these actions.
  • The registry names involved.
  • The command lines that initiated these actions.

The query is run on data from Microsoft Defender XDR and Microsoft Sentinel, and it may generate false positives that need to be filtered based on the specific environment. The purpose is to detect potential adversaries trying to disable security measures to carry out malicious activities without being detected.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceEvents

Keywords

DeviceEventsTamperingAttemptAdditionalFieldsActionStatusTargetRegistryValueNameInitiatingProcessCommandLine

Operators

whereextendtostringparse_jsonsummarizecountmake_set

Actions

GitHub