Blog Post

Microsoft Defender for Endpoint Blog

3 MIN READ

Unleash the Hunter in You

Microsoft

Mar 19, 2018

With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To help get you started, here are some examples that will give you a feel of Advanced Hunting and how it can help with your day-to-day hunting tasks. These examples cover new vulnerabilities as well as classic techniques used by attackers in the wild.

0-day Flash exploit attacks

Vulnerability overview: Zero-day remote code execution (RCE) exploit for the Adobe Flash Player vulnerability CVE-2018-4878 actively being used in the wild. Check out this blog post for more details.
Query goal: Finds characteristics related to attacks. This query checks for specific processes and URLs used in the attack.
Query:

NetworkCommunicationEvents

| where EventTime > ago(14d)

| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentName =~ "excel.exe"

| where RemoteUrl endswith ".kr"

| project EventTime, ComputerName, RemoteIP, RemoteUrl

| top 100 by EventTime

Attacks exploiting the Electron framework vulnerability

Vulnerability overview: Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps. The vulnerability affects Electron apps that use custom protocol handlers. Read this article for more details.
Query goal: The query checks process command lines to find machines where there have been attempts to exploit the Protocol Handler Vulnerability, which affects apps that are based on the Electron platform, such as Skype, Teams, and Slack, and are registered as default protocol handlers.
Query:

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName in ("code.exe", "skype.exe", "slack.exe", "teams.exe")

| where InitiatingProcessFileName in ("iexplore.exe", "runtimebroker.exe", "chrome.exe")

| where ProcessCommandLine has "--gpu-launcher"

| summarize FirstEvent=min(EventTime), LastEvent=max(EventTime) by ComputerName, ProcessCommandLine, FileName, InitiatingProcessFileName

Enumeration of users/groups for lateral movement

Background: Enumeration of users and groups is an attacker activity commonly preceding privilege escalation and lateral movement attempts. These resources are typically enumerated to identify possible targets for compromise within the breached network.
Query goal: The query finds attempts to list users or groups using Net commands.
Query:

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'

| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain')

| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)

| filter Target != ''

| project AccountName, Target, ProcessCommandLine, ComputerName, EventTime

| sort by AccountName, Target

Sticky key attacks

Background: The sticky key accessibility program (sethc.exe) is often used to launch attacks because it can be launched without signing in to Windows. Attackers often replace this accessibility program with more powerful applications like cmd.exe to perform more complex tasks. For more information about sticky key attacks, read this article by the MITRE ATT&CK™ team.
Query goal: This query looks for attempts to launch cmd.exe in place of accessibility programs.
Query:

let PrevalentCmdExeHash =

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName =~ 'cmd.exe'

| summarize count(ComputerName) by SHA1

| where count_ComputerName > 1000;

PrevalentCmdExeHash

| join kind=inner

(

ProcessCreationEvents

| project EventTime, ComputerName, ProcessCommandLine, FileName, SHA1

| where EventTime > ago(7d)

| where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe")

)

on SHA1

If you enjoyed using these examples, check out the default saved queries available on the Advanced Hunting page. Let us know what you think through the feedback system on the menu (click the smiley icon) or join the community in building powerful queries using the Advanced Hunting GitHub repository.

Thank you!

Windows Defender ATP Team

Updated Sep 16, 2020

Version 6.0

Advanced hunting

Liza Mash Levin

Microsoft

Joined August 20, 2017

View Profile

Microsoft Defender for Endpoint Blog

Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

Neil Goldstein
Iron Contributor
Apr 14, 2018
Liza,

This uses the new Log Analytics query language - but can we do things like:
Use Microsoft Flow to schedule queries
Can we save the output of queries to some persistent storage - right now we can manually click on Export to Excel
Can Log Analytics or PowerBI connect to the hunting data (The current PowerBI dashboard for Defender ATP seems to be focused on raised alerts - the data set doesn't seem to show the full hunting data)

So far this looks very useful.

-Neil
- Tomer Brand
  Microsoft
  Apr 25, 2018
  Neil,
  
  If I read your comment correctly you are asking for API access to the advanced hunting capabilities.
  Please submit this request via the portal feedback option (and include your email address).
  
  Thanks,
  Tomer
  - Neil Goldstein
    Iron Contributor
    Apr 25, 2018
    Tomer,
    
    I was implying two questions with my "connecting log analytics or power bi" question:
    A)
    It looks like Advanced Hunting is based on Log Analytics (given the volume of data and the query language - why wouldn't you leverage a service which is exactly designed for the massive data quantity and query system) ---
    So if its based on Log Analytics -- well that already has a system for linking to PowerBI for reporting and visualization and it also has a Microsoft Flow connector for triggering actions.
    
    B)
    If Advanced Hunting is a NOT a view/skin of data stored in Log Analytics, then yes I would be interested in an API or some other interface so I could visualize data in PowerBI.
    
    Example: Lets say we create some test campaigns to find out if users fall for click-bait-phishing links that snuck into a Microsoft teams discussion. Being able perform analysis on user behavior just before and after falling for the click-bait, on a day by day as well as over a 30, 60, 90 day period just might be interesting.
    
    (but isn't that the point of a having this large data set -- you might be able to find patterns 15, 30, 60, 90 days later that you didn't think of in advance, in part to determine if other devices were compromised? )
- Neil Goldstein
  Iron Contributor
  Apr 16, 2018
  Where do we post feedback and/or bugs with Advanced Hunting? Uservoice?
  
  I have had a number of odd glitches with the "Export to Excel" after running a saved query.
  
  Thanks!
Sean Friart
Brass Contributor
Apr 13, 2018
AH is evolving in a very positive way. I have some follow up questions:

Are you looking to offer import capabilities, something along the lines of consumers downloading IOC standard type formats (OpenIOC_1.1, STIX, YARA) that can be converted into a format to be used in AH?
Would be great to create a query, schedule it to run and have a number of alert notification capabilities e.g. via a dashboard in the portal, email etc. Is this something on your roadmap?
Any thoughts on the ability to ingest results of queries into a SIEM?
- Tomer Brand
  Microsoft
  Apr 25, 2018
  Hi Sean,
  
  We have a custom TI interface which you can use to convert your IOC streams into and feed to WDATP. Once done the system will constantly match those against incoming telemetry and raise alert in case of a match (documentation is here)
  
  Regarding the schedule queries and alert on the results - yes this is on our RS5 list. The intent here is to make those standard alerts, which will also be available for pulling over the SIEM interface
  
  Thanks,
  
  Tomer
Mike Hamilton
Copper Contributor
Apr 12, 2018
Any chance you guys will be adding 'Reverse DNS Names' to the NetworkCommunicationEvent as a searchable criteria for the RemoteIp? I'm assuming that data in the Security Console is populated on-demand when hitting an IP Overview page rather than continuously stored, but being able to use FQDNs (especially with wildcards, regex, etc) for searching malware domains, or a set of domains associated with various campaigns would be very powerful! Attaching a screenshot of Mac-based OceanLotus backdoor and the IPs where the C&C domains show up.
Keith Custers
Copper Contributor
Mar 27, 2018
Great work! I love this advanced hunting. I was wondering if there is a function to get the bottom events instead of the top events?
- Liza Mash Levin
  Microsoft
  Mar 27, 2018
  Hi Keith,
  
  Thanks!
  
  when soring your results you can use asc instead desc .
Marc Spieler
Copper Contributor
Mar 21, 2018
Love the Advanced Hunting, it would be great if there was a forum for end users to share their queries or suggest new Alerts for Microsoft to add to the product. Similar to how Encase allows users to post and share endscripts.
- Liza Mash Levin
  Microsoft
  Mar 22, 2018
  Hi Marc,
  
  Great to hear!
  
  we've created our own GitHub repository to enable our users to share and contribute -
  
  https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/
  - Sean McVeigh
    Copper Contributor
    Apr 26, 2018
    Great idea!