← Back to Explore
kqlHunting
TrustedInstaller Abuse Detection
This query detects attempts to become TrustedInstaller
Detection Query
//This query detects attempts to become TrustedInstaller
//Such attempts could allow bypass of ACLs for endpoint tampering . See https://www.youtube.com/watch?v=Vj1uh89v-Sc
DeviceProcessEvents
| where ProcessCommandLine contains "TrustedInstaller"
| where ProcessCommandLine has_any("config", "sc", "sc.exe", "stop","del","binpath=")
| where ProcessCommandLine <> "SC config trustedinstaller start=auto"Data Sources
DeviceProcessEvents
Platforms
windows
Tags
defender
Raw Content
//This query detects attempts to become TrustedInstaller
//Such attempts could allow bypass of ACLs for endpoint tampering . See https://www.youtube.com/watch?v=Vj1uh89v-Sc
DeviceProcessEvents
| where ProcessCommandLine contains "TrustedInstaller"
| where ProcessCommandLine has_any("config", "sc", "sc.exe", "stop","del","binpath=")
| where ProcessCommandLine <> "SC config trustedinstaller start=auto"