What Changed
Added sophisticated hunting query targeting advanced rootkits that achieve Ring-0 (kernel space) execution to blind EDR network telemetry while maintaining stealth.
Detection Logic
The query implements a “Network Truth vs Host Truth” comparison:
- Network Truth: ASimNetworkSessionLogs from perimeter firewalls (Palo Alto, Fortinet, Check Point, Cisco, Zscaler)
- Host Truth: DeviceNetworkEvents and DeviceNetworkInfo from MDE
- Core Logic: Left anti-join identifies outbound TCP connections visible to firewalls but completely missing from MDE telemetry
- Entity Mappings: Host (HostName, DnsDomain), IP (source and destination addresses)
Uses compute optimizations including pre-filtering active MDE nodes, data stratification via DeviceNetworkInfo, and left-side join rule compliance to prevent O(N*M) explosions.
Detection Surface Unlocked
Detects BYOVD (Bring Your Own Vulnerable Driver) techniques where adversaries:
- Unlink Windows Filtering Platform (WFP) callouts
- Inject raw frames directly into NDIS
- Achieve complete EDR network telemetry blindness while maintaining C2 communication
This creates a detection paradox: kernel-level endpoint tampering cannot hide physical packets leaving the network boundary.
MITRE Coverage
- T1562.001: Disable or Modify Tools (EDR bypass)
- T1562.004: Disable or Modify System Firewall (WFP manipulation)
- T1011: Exfiltration Over Other Network Medium
Implementation Notes
Query includes extensive tuning guidance for production deployment, threshold configuration for noise reduction, and specific warnings about compute impact when converting to scheduled analytics rule.
Affected Files
Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialRootkitTrafficMissingFromMDE.yaml