Adversaries may attempt to evade detection by manipulating or falsifying Microsoft Defender Antivirus engine and security intelligence versions to mask their presence. SOC teams should proactively hunt for this behavior to identify potential tampering with endpoint protection mechanisms and detect advanced persistent threats leveraging outdated or compromised security components.
KQL Query
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend AVProductVersion = tostring(avdata[0][3])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, AVProductVersion, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
id: 30035880-b7af-4d5e-8617-be7f070a5c1c
name: MD AV Signature and Platform Version
description: |
This query will identify the Microsoft Defender Antivirus Engine version and Microsoft Defender Antivirus Security Intelligence version (and timestamp), Product update version (aka Platform Update version) as well as the Microsoft Defender Antivirus Mode on the endpoint (Active, Passive, etc.).
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSecureConfigurationAssessment
tactics:
- Vulnerability
- Misconfiguration
query: |
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend AVProductVersion = tostring(avdata[0][3])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, AVProductVersion, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
Scenario: Scheduled Microsoft Defender Antivirus Update
Description: A scheduled update task runs to refresh the Microsoft Defender Antivirus signature database.
Filter/Exclusion: Exclude events where the UpdateType is “Signature Update” or filter by EventID related to scheduled updates (e.g., Event ID 1000 or 1001).
Scenario: Microsoft Defender Antivirus Platform Update
Description: The system runs a platform update to upgrade the underlying Microsoft Defender Antivirus engine.
Filter/Exclusion: Filter out events where the PlatformUpdateVersion is higher than the current version or where the update is initiated by a known update management tool (e.g., Windows Server Update Services).
Scenario: Microsoft Endpoint Manager (MEM) Configuration Sync
Description: A configuration sync from Microsoft Endpoint Manager pushes new security intelligence or platform updates to the device.
Filter/Exclusion: Exclude events where the source is Microsoft Endpoint Manager or where the update is initiated by a known configuration management tool.
Scenario: Manual Microsoft Defender Antivirus Engine Upgrade
Description: An administrator manually upgrades the Microsoft Defender Antivirus engine using the Microsoft Endpoint Configuration Manager or PowerShell.
Filter/Exclusion: Exclude events where the update is initiated via a known admin tool (e.g., MpCmdRun.exe with /PU or /PU command line arguments).
Scenario: Microsoft Defender Antivirus Scan Job Execution
Description: A scheduled scan job runs, which may temporarily increase the version detection activity.
Filter/Exclusion: Exclude events that occur during or immediately after a scheduled scan job (e.g., filter by ScanJobName or ScanType).