Forum Discussion
Query for Windows Defender Activity changes
I was wondering what will be the best way to track changes via Windows Defender Activity.
- MHenshawCopper Contributor
Hi There what specific changes are you looking for?
- ebstesCopper Contributor
#xdr#kql#detection#sentinel
I am thinking this query would help and i would appreciate other opinions?
DeviceRegistryEvents
| where RegistryKey has_any ("Real-Time Protection", "Windows Defender")
| where RegistryValueName in ("DisableRealtimeMonitoring", "DisableAntiSpyware")
| where RegistryValueData == "1"I am trying to track changes in Defender activity on endpoints, such as disabling Defender antivirus. I’m also wondering if XDR automatically detects this. For example, if an attacker disables Defender as part of a persistence technique. may be using powershell or just like this.
- MHenshawCopper Contributor
Hi ebstes
Couple things, id make sure tamper protection is enabled in the defender portal as this stops potential attackers from making changes to key defender components - Powershell also has some good script blocking features that you can look into enableing - https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security - https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
All the best
Matt