Antivirus detections (1)

Hunt Hypothesis

Adversaries may attempt to evade detection by suppressing or modifying antivirus alerts, which could indicate tampering with system defenses. SOC teams should proactively hunt for unusual patterns in antivirus detection events to identify potential evasion tactics and uncover hidden malicious activity in their Azure Sentinel environment.

KQL Query

// Query #2:
//    This query select only machines where more than 1 malware family was detected.
//    Such behavior is usually indicative that some malware was active on the machine
// Implementation details:
//    This query looks for alerts on Windows Defender Antivirus detections.
//    For most purposes it is probably better to query on the events themselves (see query #1).
//    However, this query might still be useful sometimes (e.g. to quickly parse the family name).
AlertInfo | join AlertEvidence on AlertId
| where Title contains "Defender AV detected"
| parse Title with *"'"FamilyName"'"*
| summarize FamilyCount=dcount(FamilyName), Families=makeset(FamilyName), Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
| where FamilyCount > 1
| limit 100

Analytic Rule Definition

id: 05250700-5123-45be-826d-dd14c623fade
name: Antivirus detections (1)
description: |
  Query for Microsoft Defender Antivirus detections.
  Query #1: Query for Antivirus detection events.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
query: |
  // Query #2:
  //    This query select only machines where more than 1 malware family was detected.
  //    Such behavior is usually indicative that some malware was active on the machine
  // Implementation details:
  //    This query looks for alerts on Windows Defender Antivirus detections.
  //    For most purposes it is probably better to query on the events themselves (see query #1).
  //    However, this query might still be useful sometimes (e.g. to quickly parse the family name).
  AlertInfo | join AlertEvidence on AlertId
  | where Title contains "Defender AV detected"
  | parse Title with *"'"FamilyName"'"*
  | summarize FamilyCount=dcount(FamilyName), Families=makeset(FamilyName), Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
  | where FamilyCount > 1
  | limit 100

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/Antivirus detections (1).yaml)

False Positive Guidance

Scenario: Microsoft Defender Antivirus scheduled scan completes
Filter/Exclusion: ProcessName != "MsMpEng.exe" or EventID != 12500
Scenario: System update or patching process triggers temporary antivirus scan
Filter/Exclusion: ProcessName != "WindowsUpdate.exe" or EventID != 12500
Scenario: Admin manually runs a virus scan using Microsoft Defender
Filter/Exclusion: ProcessName != "MsMpEng.exe" or User != "Administrator"
Scenario: Antivirus signature update process generates detection events
Filter/Exclusion: EventID != 12500 or ProcessName != "MpCmdRun.exe"
Scenario: Legitimate third-party software triggers a false positive detection
Filter/Exclusion: FileHash != "known_good_hashes" or ProcessName != "legitimate_tool.exe"