The hypothesis is that an adversary may be attempting to disable or bypass Microsoft Defender AV by manipulating its security intelligence and engine versions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering with endpoint protection mechanisms and detect early signs of malware evasion.
KQL Query
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Blocked' ,'Unknown')))))
| extend AvIsSignatureUpToDateTemp = tostring(AdditionalFields.AvIsSignatureUptoDate), DataRefreshTimestamp= Timestamp,
AvIsPlatformUptodateTemp=tostring(AdditionalFields.AvIsPlatformUptodate),
AvIsEngineUptodateTemp = tostring(AdditionalFields.AvIsEngineUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvSignatureVersion = tostring(AdditionalFields.AvSignatureVersion),
AvEngineVersion = tostring(AdditionalFields.AvEngineVersion),
AvPlatformVersion = tostring(AdditionalFields.AvPlatformVersion)
| extend AvIsSignatureUpToDate = iif(((((isnull(AvIsSignatureUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime))))
or (AvIsSignatureUpToDateTemp == "true"
and AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsSignatureUpToDateTemp))
| extend AvIsEngineUpToDate = iif(((((isnull(AvIsEngineUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsEngineUptodateTemp))
| extend AvIsPlatformUpToDate = iif(((((isnull(AvIsPlatformUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsPlatformUptodateTemp))
| project DeviceId, DeviceName, DataRefreshTimestamp, OSPlatform, AvMode, AvSignatureVersion, AvIsSignatureUpToDate, AvEngineVersion, AvIsEngineUpToDate, AvPlatformVersion , AvIsPlatformUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
//| where DataRefreshTimestamp between (datetime("2022-07-19 00:00:00") .. datetime("2022-07-19 18:01:00"))
| where DataRefreshTimestamp > ago(6h)
| order by DeviceName asc
| limit 10000
id: FEE07B7B-E704-4216-BBFC-3B1344136E07
name: Microsoft Defender AV details
description: |
'This query will identify the Microsoft Defender Antivirus Security Intelligence version, Security Intelligence up to date value, Engine version, Engine up to date value, Product version (aka Platform version),Product (aka Platform) up to date value, Security Intelligence publish/build timestamp, Security intel refresh timestamp and provide a list of devices with these details.'
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Blocked' ,'Unknown')))))
| extend AvIsSignatureUpToDateTemp = tostring(AdditionalFields.AvIsSignatureUptoDate), DataRefreshTimestamp= Timestamp,
AvIsPlatformUptodateTemp=tostring(AdditionalFields.AvIsPlatformUptodate),
AvIsEngineUptodateTemp = tostring(AdditionalFields.AvIsEngineUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvSignatureVersion = tostring(AdditionalFields.AvSignatureVersion),
AvEngineVersion = tostring(AdditionalFields.AvEngineVersion),
AvPlatformVersion = tostring(AdditionalFields.AvPlatformVersion)
| extend AvIsSignatureUpToDate = iif(((((isnull(AvIsSignatureUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime))))
or (AvIsSignatureUpToDateTemp == "true"
and AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsSignatureUpToDateTemp))
| extend AvIsEngineUpToDate = iif(((((isnull(AvIsEngineUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsEngineUptodateTemp))
| extend AvIsPlatformUpToDate = iif(((((isnull(AvIsPlatformUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsPlatformUptodateTemp))
| project DeviceId, DeviceName, DataRefreshTimestamp, OSPlatform, AvMode, AvSignatureVersion, AvIsSignatureUpToDate, AvEngineVersion, AvIsEngineUpToDate, AvPlatformVersion , AvIsPlatformUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
//| where DataRefreshTimestamp between (datetime("2022-07-19 00:00:00") .. datetime("2022-07-19 18:01:00"))
| where DataRefreshTimestamp > ago(6h)
| order by DeviceName aScenario: Scheduled Microsoft Defender Antivirus Update Task
Description: A legitimate scheduled task runs to update Microsoft Defender Antivirus definitions and engine files.
Filter/Exclusion: Exclude events where EventID is 1000 or 1001 (related to definition updates) and where the Product is “Microsoft Defender Antivirus”.
Scenario: Microsoft Defender AV Service Restart via Group Policy
Description: An administrator manually or automatically restarts the Microsoft Defender Antivirus service as part of a system maintenance or policy update.
Filter/Exclusion: Exclude events where the EventID is 1000 and the Source is “Microsoft Defender Antivirus” with a Task related to service restart.
Scenario: Microsoft Defender AV Scan Triggered by Third-Party Tool
Description: A third-party tool or script (e.g., Microsoft Endpoint Manager, SCCM, or third-party monitoring software) triggers a full or quick scan of the system.
Filter/Exclusion: Exclude events where the Source is a known third-party tool or where the Task field contains “Scan” or “Full Scan”.
Scenario: Microsoft Defender AV Engine Version Upgrade via Windows Update
Description: A Windows Update or Microsoft Update deploys a new version of the Microsoft Defender Antivirus engine.
Filter/Exclusion: Exclude events where the EventID is 1000 and the Engine version field indicates a version change due to a Windows Update.
Scenario: Microsoft Defender AV Configuration Change via PowerShell Script
Description: An administrator uses a PowerShell script to configure or modify Microsoft Defender AV settings (e.g., disabling real-time protection temporarily).
Filter/Exclusion: Exclude events where the Source is “PowerShell” and the Task field