Defendnot Detection
Query
// https://emsroute.com/2025/05/23/why-defendnot-is-a-wakeup-call-a-ground-level-analysis/
// https://github.com/es3n1n/defendnot
// https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques
// Remember to set the query period - v2 detection
let AvModeDescription = dynamic({"0":"Normal", "1":"Passive", "4":"EDR Block"});
let DeviceEDRPassive =
DeviceTvmInfoGathering
| extend AdditionalFields = parse_json(AdditionalFields)
| extend AvEngineVersion = tostring(AdditionalFields.["AvEngineVersion"])
| extend AvPlatformVersion = tostring(AdditionalFields.["AvPlatformVersion"])
| extend AvMode = tostring(AvModeDescription[tostring(AdditionalFields.["AvMode"])])
| where isnotempty( AvMode ) and AvMode == "Passive"
| distinct DeviceName;
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName has "ctx.bin"
| where DeviceName has_any(DeviceEDRPassive)Explanation
This KQL (Kusto Query Language) query is designed to identify specific security-related events on devices that are operating in a "Passive" mode. Here's a breakdown of what the query does in simple terms:
-
Define AvModeDescription: A mapping is created to translate numerical values into descriptive text for different antivirus modes. For example, "0" is "Normal", "1" is "Passive", and "4" is "EDR Block".
-
Identify Passive Mode Devices:
- The query looks at the
DeviceTvmInfoGatheringtable to gather information about devices. - It extracts additional fields like
AvEngineVersion,AvPlatformVersion, andAvModefrom theAdditionalFieldsJSON. - It converts the
AvModenumber into a descriptive text using theAvModeDescriptionmapping. - It filters the results to only include devices where the antivirus mode is "Passive".
- It then creates a distinct list of device names that are in "Passive" mode.
- The query looks at the
-
Detect Specific File Creation Events:
- The query then looks at the
DeviceFileEventstable to find events where a file named "ctx.bin" was created. - It filters these events to only include those that occurred on devices identified as being in "Passive" mode.
- The query then looks at the
In summary, this query identifies devices running in a "Passive" antivirus mode and checks if any of these devices have had a file named "ctx.bin" created on them. This could be part of an investigation into potential security bypass techniques, as indicated by the provided URLs.
Details

Steven Lim
Released: May 26, 2025
Tables
Keywords
Operators