Home
%3CLINGO-SUB%20id%3D%22lingo-sub-541284%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Started%20with%20Windows%20Defender%20ATP%20Advanced%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541284%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F69202%22%20target%3D%22_blank%22%3E%40Milad%20Aslaner%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20will%20take%20the%20chance%20to%20add%20some%20inspiration%20to%20the%20hunting%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExample%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAn%20event%20(let's%20call%20it%20Event%20A)%20occour%20but%20is%20by%20itself%20not%20classed%20as%20malicious.%20However%20if%20Event%20B%20accours%20after%20a%20certain%20amout%20of%20time%20we%20have%20an%20incident.%20But%20Event%20B%20is%20by%20itself%20not%20malicious%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESolution%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20example%20is%20to%20hunt%20for%20a%20USB%20Rubber%20Ducky%20which%20is%20configured%20to%20execute%20powershell%20and%20run%20some%20commands%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFirst%20we%20will%20Query%20for%20the%20device%20connection%20where%20device%20description%20is%20%22HID%20Keyboard%20Device%22%20but%20this%20event%20is%2C%20by%20itself%20not%20malicious%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Elet%20MalPnPDevices%20%3D%0A%20%20%20%20MiscEvents%0A%20%20%20%20%7C%20where%20ActionType%20%3D%3D%20%22PnpDeviceConnected%22%0A%20%20%20%20%7C%20extend%20parsed%3Dparse_json(AdditionalFields)%0A%20%20%20%20%7C%20sort%20by%20EventTime%20desc%20nulls%20last%20%0A%20%20%20%20%7C%20where%20parsed.DeviceDescription%20%3D%3D%20%22HID%20Keyboard%20Device%22%0A%20%20%20%20%7C%20project%20PluginTime%3DEventTime%2C%20ComputerName%2Cparsed.ClassName%2C%20parsed.DeviceId%2C%20parsed.DeviceDescription%3B%3C%2FPRE%3E%3CP%3EAfter%20this%20event%20we%20want%20to%20see%20if%20we%20have%20a%20cmd%20or%20powershell%20execution%20to%20determain%20if%20this%20is%20a%20USB%20Rubber%20Ducky%2FBad%20USB.%3C%2FP%3E%3CP%3ETo%20achieve%20this%20we%20use%20the%20EventTime%20to%20compare%20with%20the%20eventtime%20of%20the%20process%20start%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EProcessCreationEvents%0A%7C%20where%20ProcessCommandLine%20contains%20%22powershell%22%20or%0A%20%20%20%20%20%20%20%20ProcessCommandLine%20startswith%20%22cmd%22%20%20%20%20%20%0A%7C%20project%20ProcessCommandLine%2C%20ComputerName%2C%20EventTime%2C%20ReportId%2C%20MachineId%0A%7C%20join%20kind%3Dinner%20MalPnPDevices%20on%20ComputerName%0A%7C%20where%20(EventTime-PluginTime)%20between%20(0min..10s)%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20join%20the%20first%20result%20with%20the%20new%20statement%20and%20look%20for%20the%20event%20time%20and%20make%20sure%20that%20the%20events%20were%20recorded%20within%2010%20seconds.%3C%2FP%3E%3CP%3E%3CEM%3E(The%20reson%20is%20that%20the%20attacker%20can%20configure%20the%20ducky%20to%20delay%20for%20x%20amount%20of%20seconds%20which%20you%20normaly%20do%20to%20have%20time%20for%20driver%20to%20load%2C%20but%20from%20attacker%20perspective%20you%20would%20normaly%20want%20the%20payload%20to%20execute%20as%20soon%20as%20possible)%20of%20course%20you%20can%20change%20the%20%22between%20seconds%22%20to%20whatever%20you%20want%20and%20this%20is%20just%20an%20example).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EOutput%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20789px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112452iEEA105ADBF1A7593%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22example_hunting.png%22%20title%3D%22example_hunting.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20use%20this%20example%20you%20may%20have%20to%20tweak%20it%20a%20bit%20to%20avoid%20FPs%20but%20this%20post%20is%20more%20to%20inspire%20to%20extend%20the%20queries.%3C%2FP%3E%3CPRE%3E%2F%2F%20Hunting%20for%20malicious%20HID%20Keyboard%20devices%0A%2F%2F%20PNP%20Event%20and%20Powershell%20or%20CMD%20within%2010%20seconds%20after%20driver%20load%0Alet%20MalPnPDevices%20%3D%0A%20%20%20%20MiscEvents%0A%20%20%20%20%7C%20where%20ActionType%20%3D%3D%20%22PnpDeviceConnected%22%0A%20%20%20%20%7C%20extend%20parsed%3Dparse_json(AdditionalFields)%0A%20%20%20%20%7C%20sort%20by%20EventTime%20desc%20nulls%20last%20%0A%20%20%20%20%7C%20where%20parsed.DeviceDescription%20%3D%3D%20%22HID%20Keyboard%20Device%22%0A%20%20%20%20%7C%20project%20PluginTime%3DEventTime%2C%20ComputerName%2Cparsed.ClassName%2C%20parsed.DeviceId%2C%20parsed.DeviceDescription%2C%20AdditionalFields%3B%0AProcessCreationEvents%0A%7C%20where%20ProcessCommandLine%20contains%20%22powershell%22%20or%0A%20%20%20%20%20%20%20%20ProcessCommandLine%20startswith%20%22cmd%22%20%20%20%20%20%20%20%20%20%0A%7C%20project%20ProcessCommandLine%2C%20ComputerName%2C%20EventTime%2C%20ReportId%2C%20MachineId%0A%7C%20join%20kind%3Dinner%20MalPnPDevices%20on%20ComputerName%0A%7C%20where%20(EventTime-PluginTime)%20between%20(0min..10s)%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EOther%20example%20scenarios%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEvent%20A%20and%20then%20look%20for%20a%20outbound%20Connection%2C%26nbsp%3B%20inbound%20Connection%20and%20then%20a%20process%20start..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20hunting!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215835%22%20slang%3D%22en-US%22%3EGetting%20Started%20with%20Windows%20Defender%20ATP%20Advanced%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215835%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%E2%80%99ve%20recently%20released%20a%20capability%20called%20Advanced%20Hunting%20in%20Windows%20Defender%20ATP%20that%20allows%20you%20to%20get%20unfiltered%20access%20to%20the%20raw%20data%20inside%20your%20Windows%20Defender%20ATP%20tenant%20and%20proactively%20hunt%20for%20threats%20using%20a%20powerful%20search%20and%20query%20language%3C%2FSPAN%3E%3CSPAN%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhy%20should%20I%20care%20about%20Advanced%20Hunting%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThere%20will%20be%20situations%20where%20you%20need%20to%20quickly%20determine%20if%20your%20organization%20is%20impacted%20by%20a%20threat%20that%20does%20not%20yet%20have%20pre-established%20indicators%20of%20compromise%20(IOC).%20Think%20of%20a%20new%20global%20outbreak%2C%20or%20a%20new%20waterhole%20technique%20which%20could%20have%20lured%20some%20of%20your%20end%20users%2C%20or%20a%20new%200-day%20exploit.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EImagine%20the%20following%20scenario.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt%E2%80%99s%20early%20morning%20and%20you%20just%20got%20to%20the%20office.%20While%20reading%20the%20news%20and%20monitoring%20the%20usual%20social%20media%20channels%20for%20new%20vulnerabilities%20and%20threats%2C%20you%20see%20a%20discussion%20on%20a%20new%20exploit%20and%20you%20want%20to%20quickly%20check%20if%20any%20of%20your%20endpoints%20have%20been%20exposed%20to%20the%20threat.%20If%20an%20alert%20hasn%E2%80%99t%20been%20generated%20in%20your%20Windows%20Defender%20ATP%20tenant%2C%20you%20can%20use%20Advanced%20Hunting%20and%20hunt%20through%20your%20own%20data%20for%20the%20specific%20exploit%20technique.%20Based%20on%20the%20results%20of%20your%20query%2C%20you%E2%80%99ll%20quickly%20be%20able%20to%20see%20relevant%20information%20and%20take%20swift%20action%20where%20needed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20does%20Advanced%20Hunting%20work%20under%20the%20hood%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAdvanced%20Hunting%20makes%20use%20of%20the%20Azure%20Kusto%20query%20language%2C%20which%20is%20the%20same%20language%20we%20use%20for%20%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Log%20Analytics%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%2C%20and%20provides%20full%20access%20to%20raw%20data%20up%20to%2030%20days%20back.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20data%20model%20is%20simply%20made%20up%20by%2010%20tables%20in%20total%2C%20and%20all%20of%20the%20details%20on%20the%20fields%20of%20each%20table%20is%20available%20under%20our%20documentation%2C%20%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fadvanced-hunting-reference-windows-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdvanced%20hunting%20reference%20in%20Windows%20Defender%20ATP%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EAlert%20information%3A%20%3C%2FSPAN%3E%3CSPAN%3EThis%20table%20includes%20information%20related%20to%20alerts%20and%20related%20IOCs%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EMachine%20info%3A%20%3C%2FSPAN%3E%3CSPAN%3EIncludes%3C%2FSPAN%3E%20%3CSPAN%3Eproperties%20of%20the%20devices%20(Name%2C%20OS%20platform%20and%20version%2C%20LoggedOn%20users%2C%20and%20others)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EMachine%20network%20info%20(Preview)%3A%3C%2FSPAN%3E%3CSPAN%3E%20The%20device%20network%20interfaces%20related%20information%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EProcess%20creation%20event%3A%20%3C%2FSPAN%3E%3CSPAN%3EThe%20process%20image%20file%20information%2C%20command%20line%2C%20and%20others%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELoad%20image%3A%20%3C%2FSPAN%3E%3CSPAN%3EThe%20process%20and%20loaded%20module%20information%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENetwork%20communication%20events%3A%20%3C%2FSPAN%3E%3CSPAN%3EThe%20process%20and%20connection%20information%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFile%20creation%20events%3A%20%3C%2FSPAN%3E%3CSPAN%3EThe%20created%20file%20info%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERegistry%20activities%3A%20%3C%2FSPAN%3E%3CSPAN%3EWhich%20process%20change%20what%20key%20and%20which%20value%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELogOn%20event%3A%3C%2FSPAN%3E%3CSPAN%3E%20Who%20logged%20on%2C%20type%20of%20logon%2C%20permissions%2C%20and%20others%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEvents%3A%20%3C%2FSPAN%3E%3CSPAN%3EA%20variety%20of%20Windows%20related%20events%2C%20for%20example%20telemetry%20from%20Windows%20Defender%20Exploit%20Guard%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20easily%20combine%20tables%20in%20your%20query%20or%20search%20across%20any%20available%20table%20combination%20of%20your%20own%20choice.%20Whatever%20is%20needed%20for%20you%20to%20hunt!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20write%20my%20first%20query%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20easiest%20way%20I%20found%20to%20teach%20someone%20Advanced%20Hunting%20is%20by%20comparing%20this%20capability%20with%20an%20%3CFONT%3EExcel%20spreadsheet%20that%20you%20can%20pivot%20and%20apply%20filters%20on.%20%3C%2FFONT%3EYou%E2%80%99ll%20be%20able%20to%20merge%20tables%2C%20compare%20columns%2C%20and%20apply%20filters%20on%20top%20to%20narrow%20down%20the%20search%20results.%20Advanced%20Hunting%20uses%20simple%20query%20language%20but%20powerful%20query%20language%20that%20returns%20a%20rich%20set%20of%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBecause%20of%20the%20richness%20of%20data%2C%20you%20will%20want%20to%20use%20filters%20wisely%20to%20reduce%20unnecessary%20noise%20into%20your%20analysis.%20The%20query%20language%20has%20plenty%20of%20useful%20operators%2C%20like%20the%20one%20that%20allows%20you%20to%20return%20up%20only%20a%20specific%20number%20of%20rows%2C%20which%20is%20useful%20to%20have%20for%20scenarios%20when%20you%20need%20a%20quick%2C%20performant%2C%20and%20focused%20set%20of%20results.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20way%20to%20limit%20the%20output%20is%20by%20using%20EventTime%20and%20therefore%20limit%20the%20results%20to%20a%20specific%20time%20window.%20For%20more%20information%2C%20see%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fadvanced-hunting-best-practices-windows-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdvanced%20Hunting%20query%20best%20practices%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20take%20a%20closer%20look%20at%20this%20and%20get%20started.%20In%20our%20first%20example%2C%20we%E2%80%99ll%20use%20a%20table%20called%20ProcessCreationEvents%20and%20see%20what%20we%20can%20learn%20from%20there.%20First%20let%E2%80%99s%20look%20at%20the%20last%205%20rows%20of%20ProcessCreationEvents%20and%20then%20let%E2%80%99s%20see%20what%20happens%20if%20instead%20of%20using%20the%20operator%20limit%20we%20use%20EventTime%20and%20filter%20for%20events%20that%20happened%20within%20the%20last%20hour.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20limit%205%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37696i6F821A4E96530473%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image1.png%22%20title%3D%22Image1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%201%3A%20Example%20query%20that%20returns%20random%205%20rows%20of%20ProcessCreationEvents%20table%2C%20to%20quickly%20see%20some%20data%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20EventTime%20%26gt%3B%20ago(1h)%20%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37697iEB068492F9DADFD6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image2.png%22%20title%3D%22Image2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%202%3A%20Example%20query%20that%20returns%20all%20events%20from%20ProcessCreationEvents%20table%20that%20happened%20within%20the%20last%20hour%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37699iB580948D0317E4F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image3.png%22%20title%3D%22Image3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%203%3A%20Outcome%20of%20ProcessCreationEvents%20with%20EventTime%20restriction%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20remember%20earlier%20I%20compared%20this%20with%20an%20Excel%20spreadsheet.%20We%20can%20export%20the%20outcome%20of%20our%20query%20and%20open%20it%20in%20Excel%20so%20we%20can%20do%20a%20proper%20comparison.%20As%20you%20can%20see%20in%20the%20following%20image%2C%20all%20the%20rows%20that%20I%20mentioned%20earlier%20are%20displayed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37700i52FDB710A8497081%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image4.png%22%20title%3D%22Image4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%204%3A%20Exported%20outcome%20of%20ProcessCreationEvents%20with%20EventTime%20restriction%20which%20is%20started%20in%20Excel%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20with%20any%20other%20Excel%20sheet%2C%20all%20you%20really%20need%20to%20understand%20is%20where%2C%20and%20how%2C%20to%20apply%20filters%2C%20to%20get%20the%20information%20you%E2%80%99re%20looking%20for.%20When%20you%20master%20it%2C%20you%20will%20master%20Advanced%20Hunting!%3C%2FP%3E%0A%3CP%3EWith%20that%20in%20mind%2C%20it%E2%80%99s%20time%20to%20learn%20a%20couple%20of%20more%20operators%20and%20make%20use%20of%20them%20inside%20a%20query.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20filter%20for%20specific%20activities%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20several%20ways%20to%20apply%20filters%20for%20specific%20data.%20One%20common%20filter%20that%E2%80%99s%20available%20in%20most%20of%20the%20sample%20queries%20is%20the%20use%20of%20the%20%E2%80%9Cwhere%E2%80%9D%20operator.%20This%20operator%20allows%20you%20to%20apply%20filters%20to%20a%20specific%20column%20within%20a%20table.%20For%20example%2C%20if%20you%20want%20to%20search%20for%20ProcessCreationEvents%2C%20where%20the%20FileName%20is%20powershell.exe.%20all%20you%20need%20to%20do%20is%20apply%20the%20operator%20in%20the%20following%20query%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D%3D%20%22powershell.exe%22%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37701i5F8DCE93EA41EEFD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image5.png%22%20title%3D%22Image5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%205%3A%20Example%20query%20that%20shows%20all%20ProcessCreationEvents%20where%20the%20FileName%20is%20powershell.exe%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20remember%20you%E2%80%99ll%20want%20to%20either%20use%20the%20limit%20operator%20or%20the%20EventTime%20row%20as%20a%20filter%20to%20have%20the%20best%20results%20when%20running%20your%20query.%20Also%20note%20that%20sometimes%20you%20might%20not%20have%20the%20absolute%20filename%20or%20might%20be%20dealing%20with%20a%20malicious%20file%20that%20constantly%20changes%20names.%20In%20these%20scenarios%2C%20you%20can%20use%20other%20filters%20such%20as%20%E2%80%9Ccontains%E2%80%9D%2C%20%E2%80%9Cstartwith%E2%80%9D%2C%20and%20others.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37702iFF8C071512BBC103%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image6.png%22%20title%3D%22Image6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%206%3A%20Some%20fields%20may%20contain%20data%20in%20different%20cases%20for%20example%2C%20file%20names%2C%20paths%2C%20command%20lines%2C%20and%20URLs.%20For%20cases%20like%20these%2C%20you%E2%80%99ll%20usually%20want%20to%20do%20a%20case%20insensitive%20matching.%20The%20original%20case%20is%20preserved%20because%20it%20might%20be%20important%20for%20your%20investigation.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CEM%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D~%20%22powershell.exe%22%0A%7C%20limit%205%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37703i81E45B77DA888C97%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image7.png%22%20title%3D%22Image7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%207%3A%20Example%20query%20that%20returns%20the%20last%205%20rows%20of%20ProcessCreationEvents%20where%20FileName%20was%20powershell.exe.%20We%20are%20using%20%3D%3CFONT%3E~%20making%20sure%20it%20is%20case-insensitive.%3C%2FFONT%3E%3C%2FEM%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20of%20course%20use%20the%20operator%20%E2%80%9Cand%E2%80%9D%20or%20%E2%80%9Cor%E2%80%9D%20when%20using%20any%20combination%20of%20operators%2C%20making%20your%20query%20even%20more%20powerful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CEM%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D~%20%22powershell.exe%22%0Aor%20FileName%20%3D~%20%22cmd.exe%22%0A%7C%20limit%205%20%20%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37705i7C2AC964E2770591%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image8.png%22%20title%3D%22Image8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%208%3A%20Example%20query%20that%20returns%20the%20last%205%20rows%20of%20ProcessCreationEvents%20where%20FileName%20was%20powershell.exe%20or%20cmd.exe%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20some%20instances%2C%20you%20might%20want%20to%20search%20for%20specific%20information%20across%20multiple%20tables.%20For%20that%20scenario%2C%20you%20can%20use%20the%20%E2%80%9Cfind%E2%80%9D%20operator.%20Think%20of%20the%20scenario%20where%20you%20are%20aware%20of%20a%20specific%20malicious%20file%20hash%20and%20you%20want%20to%20know%20details%20of%20that%20file%20hash%20across%20FileCreationEvents%2C%20ProcessCreationEvents%2C%20and%20NetworkCommunicatonEvents.%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CPRE%3Elet%20fileHash%20%3D%20%22e152f7ce2d3a4349ac583580c2caf8f72fac16ba%22%3B%0Afind%20in%20(FileCreationEvents%2C%20ProcessCreationEvents%2C%20NetworkCommunicationEvents)%0Awhere%20SHA1%20%3D%3D%20fileHash%20or%20InitiatingProcessSHA1%20%3D%3D%20fileHash%0Aproject%20ComputerName%2C%20ActionType%2C%20FileName%2C%20EventTime%3C%2FPRE%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20973px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37706iC202744240EE2921%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image9.png%22%20title%3D%22Image9.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%209%3A%20Example%20query%20that%20searches%20for%20a%20specific%20file%20hash%20across%20multiple%20tables%20where%20the%20SHA1%20equals%20to%20the%20file%20hash%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20tailor%20the%20outcome%20of%20a%20query%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20some%20point%2C%20you%20may%20want%20to%20tailor%20the%20outcome%20of%20a%20query%20after%20running%20it%20so%20that%20you%20can%20see%20the%20most%20relevant%20information%20as%20quickly%20as%20possible.%20For%20this%20scenario%20you%20can%20use%20the%20%E2%80%9Cproject%E2%80%9D%20operator%20which%20allows%20you%20to%20select%20the%20columns%20you%E2%80%99re%20most%20interested%20in.%20Simply%20select%20which%20columns%20you%20want%20to%20visualize.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D%3D%20%22powershell.exe%22%0Aor%20FileName%20%3D%3D%20%22cmd.exe%22%0A%7C%20limit%205%0A%7C%20project%20EventTime%2C%20ComputerName%2C%20ProcessCommandLine%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37707iEDD7D4C8D0552B03%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image10.png%22%20title%3D%22Image10.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2010%3A%20Example%20query%20that%20returns%20the%20last%205%20rows%20of%20ProcessCreationEvents%20where%20FileName%20was%20powershell.exe%20or%20cmd.exe%2C%20note%20this%20time%20we%20are%20using%20%3D%3D%20which%20makes%20it%20case%20sensitive%20and%20where%20the%20outcome%20is%20filtered%20to%20show%20you%20EventTime%2C%20ComputerName%20and%20ProcessCommandLine%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37708i32B346E3A46FDC80%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image11.png%22%20title%3D%22Image11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2011%3A%20Result%20of%20the%20previous%20query%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20may%20be%20scenarios%20when%20you%20want%20to%20keep%20track%20of%20how%20many%20times%20a%20specific%20event%20happened%20on%20an%20endpoint.%20You%20can%20use%20the%20%E2%80%9Csummarize%E2%80%9D%20operator%20for%20that%2C%20which%20allows%20you%20to%20produce%20a%20table%20that%20aggregates%20the%20content%20of%20the%20input%20table%20in%20combination%20with%20count()%20that%20will%20count%20the%20number%20of%20rows%20or%20dcount()%20that%20will%20count%20the%20distinct%20values.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D%3D%20%22powershell.exe%22%0A%7C%20summarize%20count()%0A%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37709i1D86E46E11EAEBE2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image12.png%22%20title%3D%22Image12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2012%3A%20Example%20query%20that%20searches%20for%20all%20ProcessCreationEvents%20where%20FileName%20was%20powershell.exe%20and%20gives%20as%20outcome%20the%20total%20count%20it%20has%20been%20discovered%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20225px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37710i684A03FD7F31E85C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image13.png%22%20title%3D%22Image13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2013%3A%20In%20the%20above%20example%2C%20the%20result%20shows%2025%20endpoints%20had%20ProcessCreationEvents%20that%20originated%20by%20FileName%20powershell.exe%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20FileName%20%3D%3D%20%22powershell.exe%22%0A%7C%20summarize%20dcount(ComputerName)%3C%2FPRE%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20327px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37711i080218F8BCCB02BC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image14.png%22%20title%3D%22Image14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2014%3A%20Query%20that%20searches%20for%20all%20ProcessCreationEvents%20where%20FileName%20was%20powershell.exe%20and%20produces%20a%20result%20that%20shows%20the%20total%20count%20of%20distinct%20computer%20names%20where%20it%20was%20discovered%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20257px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37712i7F13476589013B0A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image15.png%22%20title%3D%22Image15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2015%3A%20In%20the%20above%20example%2C%20the%20result%20shows%208%20distinct%20endpoints%20had%20ProcessCreationEvents%20where%20the%20FileName%20powershell.exe%20was%20seen%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20might%20have%20noticed%20a%20filter%20icon%20within%20the%20Advanced%20Hunting%20console.%20This%20is%20a%20useful%20feature%20to%20further%20optimize%20your%20query%20by%20adding%20additional%20filters%20based%20on%20the%20current%20outcome%20of%20your%20existing%20query.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37713i00508F9E3AD02A78%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image16.png%22%20title%3D%22Image16.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2016%3A%20select%20the%20filter%20option%20to%20further%20optimize%20your%20query%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20322px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37714i3C16F0A0BD328229%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image17.png%22%20title%3D%22Image17.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2017%3A%20Depending%20on%20the%20current%20outcome%20of%20your%20query%20the%20filter%20will%20show%20you%20the%20available%20filters.%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EChoosing%20the%20minus%20icon%20will%20exclude%20a%20certain%20attribute%20from%20the%20query%20while%20the%20addition%20icon%20will%20include%20it.%20Once%20you%20select%20any%20additional%20filters%20Run%20query%20turns%20blue%20and%20you%20will%20be%20able%20to%20run%20an%20updated%20query.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20join%20multiple%20tables%20in%20one%20query%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20almost%20feels%20like%20that%20there%20is%20an%20operator%20for%20anything%20you%20might%20want%20to%20do%20inside%20Advanced%20Hunting.%20At%20some%20point%20you%20might%20want%20to%20join%20multiple%20tables%20to%20get%20a%20better%20understanding%20on%20the%20incident%20impact.%20For%20that%20scenario%2C%20you%20can%20use%20the%20%E2%80%9Cjoin%E2%80%9D%20operator.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EFileCreationEvents%0A%7C%20where%20EventTime%20%26gt%3B%20ago(30d)%0A%7C%20project%20MachineId%2C%20FileName%2C%20SHA1%2C%20FolderPath%0A%7C%20join%20kind%3D%20inner%20(%0A%20ProcessCreationEvents%0A%20%7C%20where%20EventTime%20%26gt%3B%20ago(30d)%0A%20%7C%20project%20MachineId%2C%20FileName%2C%20SHA1%2C%20FolderPath%0A)%20on%20MachineId%2C%20SHA1%2C%20FolderPath%2C%20FileName%0A%7C%20limit%2010%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37715iB7A8462C2D21F13C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image18.png%22%20title%3D%22Image18.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2018%3A%20Example%20query%20that%20joins%20FileCreationEvents%20with%20ProcessCreationEvents%20where%20the%20result%20shows%20a%20full%20perspective%20on%20the%20files%20that%20got%20created%20and%20executed%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20particularly%20useful%20for%20instances%20where%20you%20want%20to%20hunt%20for%20occurrences%20where%20threat%20actors%20drop%20their%20payload%20and%20run%20it%20afterwards.%20This%20way%20you%20can%20correlate%20the%20data%20and%20don%E2%80%99t%20have%20to%20write%20and%20run%20two%20different%20queries.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBreakdown%20of%20some%20of%20the%20sample%20queries%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EPowerShell%20execution%20events%20that%20could%20involve%20downloads%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20sample%20query%20searches%20for%20PowerShell%20activities%20that%20could%20indicate%20that%20the%20threat%20actor%20downloaded%20something%20from%20the%20network.%20Let%E2%80%99s%20break%20down%20the%20query%20to%20better%20understand%20how%20and%20why%20it%20is%20built%20in%20this%20way.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProcessCreationEvents%0A%7C%20where%20EventTime%20%26gt%3B%20ago(7d)%0A%7C%20where%20FileName%20in~%20(%22powershell.exe%22%2C%20%22powershell_ise.exe%22)%0A%7C%20where%20ProcessCommandLine%20has%20%22Net.WebClient%22%0A%20%20%20or%20ProcessCommandLine%20has%20%22DownloadFile%22%0A%20%20%20or%20ProcessCommandLine%20has%20%22Invoke-WebRequest%22%0A%20%20%20or%20ProcessCommandLine%20has%20%22Invoke-Shellcode%22%0A%20%20%20or%20ProcessCommandLine%20contains%20%22http%3A%22%0A%7C%20project%20EventTime%2C%20ComputerName%2C%20InitiatingProcessFileName%2C%20FileName%2C%20ProcessCommandLine%0A%7C%20top%20100%20by%20EventTime%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37716i1CCBB7DF8056B19A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image19.png%22%20title%3D%22Image19.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2019%3A%20PowerShell%20execution%20events%20that%20could%20involve%20downloads%20sample%20query%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EProcessCreationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3ETable%20selected%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20where%20EventTime%20%26gt%3B%20ago(7d)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EOnly%20looking%20for%20events%20happened%20last%207%20days%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20where%20FileName%20in~%20(%E2%80%9Cpowershell.exe%E2%80%9D%2C%20%E2%80%9Cpowershell_ise.exe%E2%80%9D)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EOnly%20looking%20for%20events%20where%20FileName%20is%20any%20of%20the%20mentioned%20PowerShell%20variations.%20Note%20because%20we%20use%20in%20~%20it%20is%20case-insensitive.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20where%20ProcessCommandLine%20has%20%22Net.WebClient%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20has%20%22DownloadFile%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20has%20%22Invoke-WebRequest%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20has%20%22Invoke-Shellcode%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20has%20%22http%3A%22%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EOnly%20looking%20for%20PowerShell%20events%20where%20the%20used%20command%20line%20is%20any%20of%20the%20mentioned%20ones%20in%20the%20query%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20project%20EventTime%2C%20ComputerName%2C%20InitiatingProcessFileName%2C%20FileName%2C%20ProcessCommandLine%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EMakes%20sure%20the%20outcome%20only%20shows%20EventTime%2C%20ComputerName%2C%20InitiatingProcessFileName%2C%20FileName%20and%20ProcessComandLine%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20top%20100%20by%20EventTime%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EEnsures%20that%20the%20records%20are%20ordered%20by%20the%20top%20100%20of%20the%20EventTime%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CFONT%3EIdentifying%20Base64%20decoded%20payload%20execution%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%3EIt%20has%20become%20very%20common%20for%20threat%20actors%20to%20do%20a%20Base64%20decoding%20on%20their%20malicious%20payload%20to%20hide%20their%20traps.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CFONT%3EProcessCreationEvents%20%0A%7C%20where%20EventTime%20%26gt%3B%20ago(14d)%20%0A%7C%20where%20ProcessCommandLine%20contains%20%22.decode('base64')%22%0A%20%20%20%20%20%20%20%20or%20ProcessCommandLine%20contains%20%22base64%20--decode%22%0A%20%20%20%20%20%20%20%20or%20ProcessCommandLine%20contains%20%22.decode64(%22%20%0A%7C%20project%20EventTime%20%2C%20ComputerName%20%2C%20FileName%20%2C%20FolderPath%20%2C%20ProcessCommandLine%20%2C%20InitiatingProcessCommandLine%20%0A%7C%20top%20100%20by%20EventTime%20%3C%2FFONT%3E%3C%2FPRE%3E%0A%3CP%3E%3CFONT%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20912px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37717i7AAEE1A80933977B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image20.png%22%20title%3D%22Image20.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2020%3A%20Identifying%20Base64%20decoded%20payload%20execution%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EProcessCreationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3ETable%20selected%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20where%20EventTime%20%26gt%3B%20ago(14d)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EOnly%20looking%20for%20events%20happened%20last%2014%20days%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20where%20ProcessCommandLine%20contains%20%22.decode('base64')%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20contains%20%22base64%20--decode%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%20ProcessCommandLine%20contains%20%22.decode64(%22%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EOnly%20looking%20for%20events%20where%20the%20command%20line%20contains%20an%20indication%20for%20base64%20decoding.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%26gt%3B%20.decode('base64')%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E-%26gt%3B%20base64%20%E2%80%93decode%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E-%26gt%3B%20.decode64(%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20project%20EventTime%20%2C%20ComputerName%20%2C%20FileName%20%2C%20FolderPath%20%2C%20ProcessCommandLine%20%2C%20InitiatingProcessCommandLine%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EMake%20sure%20that%20the%20outcome%20only%20shows%20EventTime%20%2C%20ComputerName%20%2C%20FileName%20%2C%20FolderPath%20%2C%20ProcessCommandLine%20%2C%20InitiatingProcessCommandLine%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%7C%20top%20100%20by%20EventTime%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EEnsures%20that%20the%20records%20are%20ordered%20by%20the%20top%20100%20of%20the%20EventTime%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CFONT%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CFONT%3EIdentifying%20network%20connections%20to%20known%20Dofoil%20NameCoin%20servers%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2018%2F03%2F07%2Fbehavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDofoil%3C%2FA%3E%3C%2FSPAN%3E%20is%20a%20sophisticated%20threat%20that%20attempted%20to%20install%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2018%2F03%2F07%2Fbehavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecoin%20miner%20malware%3C%2FA%3E%3C%2FSPAN%3E%20on%20hundreds%20of%20thousands%20of%20computers%20in%20March%2C%202018.%20The%20sample%20query%20below%20allows%20you%20to%20quickly%20determine%20if%20there%E2%80%99s%20been%20any%20network%20connections%20to%20known%20Dofoil%20NameCoin%20servers%20within%20the%20last%2030%20days%20from%20endpoints%20in%20your%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3ENetworkCommunicationEvents%20%0A%7C%20where%20RemoteIP%20in%20(%22139.59.208.246%22%2C%22130.255.73.90%22%2C%2231.3.135.232%22%2C%2252.174.55.168%22%2C%22185.121.177.177%22%2C%22185.121.177.53%22%2C%20%2262.113.203.55%22%2C%22144.76.133.38%22%2C%22169.239.202.202%22%2C%225.135.183.146%22%2C%22142.0.68.13%22%2C%22103.253.12.18%22%2C%20%2262.112.8.85%22%2C%2269.164.196.21%22%2C%22107.150.40.234%22%2C%22162.211.64.20%22%2C%22217.12.210.54%22%2C%2289.18.27.34%22%2C%22193.183.98.154%22%2C%2251.255.167.0%22%2C%2291.121.155.13%22%2C%2287.98.175.85%22%2C%22185.97.7.7%22)%0A%7C%20project%20ComputerName%2C%20InitiatingProcessCreationTime%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%2C%20RemoteIP%2C%20RemotePort%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37718iB3FD2D60E92EDE43%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image21.png%22%20title%3D%22Image21.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2021%3A%20Identifying%20network%20connections%20to%20known%20Dofoil%20NameCoin%20servers%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%0A%3CP%3ENetworkCommunicationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%3E%0A%3CP%3ETable%20selected%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%0A%3CP%3E%7C%20where%20RemoteIP%20in%20(%22139.59.208.246%22%2C%22130.255.73.90%22%2C%2231.3.135.232%22%2C%3C%2FP%3E%0A%3CP%3E%2252.174.55.168%22%2C%20%22185.121.177.177%22%2C%22185.121.177.53%22%2C%2262.113.203.55%22%2C%3C%2FP%3E%0A%3CP%3E%22144.76.133.38%22%2C%22169.239.202.202%22%2C%225.135.183.146%22%2C%3C%2FP%3E%0A%3CP%3E%22142.0.68.13%22%2C%22103.253.12.18%22%2C%2262.112.8.85%22%2C%3C%2FP%3E%0A%3CP%3E%2269.164.196.21%22%20%2C%22107.150.40.234%22%2C%22162.211.64.20%22%2C%22217.12.210.54%22%3C%2FP%3E%0A%3CP%3E%2C%2289.18.27.34%22%2C%22193.183.98.154%22%2C%2251.255.167.0%22%3C%2FP%3E%0A%3CP%3E%2C%2291.121.155.13%22%2C%2287.98.175.85%22%2C%22185.97.7.7%22)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%3E%0A%3CP%3EOnly%20looking%20for%20network%20connection%20where%20the%20RemoteIP%20is%20any%20of%20the%20mentioned%20ones%20in%20the%20query%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%0A%3CP%3E%7C%20project%20ComputerName%2C%3C%2FP%3E%0A%3CP%3EInitiatingProcessCreationTime%2C%3C%2FP%3E%0A%3CP%3EInitiatingProcessFileName%2C%3C%2FP%3E%0A%3CP%3EInitiatingProcessCommandLine%2C%3C%2FP%3E%0A%3CP%3ERemoteIP%2C%20RemotePort%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%3E%0A%3CP%3EMakes%20sure%20the%20outcome%20only%20shows%20ComputerName%2C%20InitiatingProcessCreationTime%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%2C%20RemoteIP%2C%20RemotePort%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EKnowledge%20Check%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20following%20sections%2C%20you%E2%80%99ll%20find%20a%20couple%20of%20queries%20that%20need%20to%20be%20fixed%20before%20they%20can%20work.%20Try%20to%20find%20the%20problem%20and%20address%20it%20so%20that%20the%20query%20can%20work.%20Don%E2%80%99t%20worry%2C%20there%20are%20some%20hints%20along%20the%20way.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3ENetworkCommunicationEvents%0A%7C%20where%20RemoteIP%20in%20(%E2%80%9Cmsupdater.com%E2%80%9D%2C%20%E2%80%9Ctwitterdocs.com%E2%80%9D)%0A%7C%20summarize%20by%20ComputerName%2C%20InitiatingProcessComandLine%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37719iEAC9ED91EFC4AE1B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image22.png%22%20title%3D%22Image22.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%2022%3A%20This%20query%20should%20return%20a%20result%20that%20shows%20network%20communication%20to%20two%20URLs%20msupdater.com%20and%20twitterdocs.com%3C%2FEM%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37720i58A8C9DBDDB3245F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Image23.png%22%20title%3D%22Image23.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EImage%2023%3A%20This%20query%20should%20return%20a%20result%20that%20shows%20files%20downloaded%20through%20Microsoft%20Edge%20and%20returns%20the%20columns%20EventTime%2C%20ComputerName%2C%20InitiatingProcessFileName%2C%20FileName%20and%20FolderPath%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%3EHow%20do%20I%20manage%20queries%3F%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CFONT%3EYou%20might%20have%20some%20queries%20stored%20in%20various%20text%20files%20or%20have%20been%20copy-pasting%20them%20from%20here%20to%20Advanced%20Hunting.%20Advanced%20Hunting%20allows%20you%20to%20save%20your%20queries%20and%20share%20them%20within%20your%20tenant%20with%20your%20peers.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CFONT%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20557px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37721i082916AD73BA6B77%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image24.png%22%20title%3D%22Image24.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CFONT%3EImage%2024%3A%26nbsp%3BYou%20can%20choose%20Save%20or%20Save%20As%20to%20select%20a%20folder%20location%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20693px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37723iC272C276C804F3F9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image25.png%22%20title%3D%22Image25.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EImage%2025%3A%20Choose%20if%20you%20want%20the%20query%20to%20be%20shared%20across%20your%20organization%20or%20only%20available%20to%20you%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESummary%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20regularly%20publish%20new%20sample%20queries%20on%20GitHub.%20I%20highly%20recommend%20everyone%20to%20check%20these%20queries%20regularly.%20See%2C%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESample%20queries%20for%20Advanced%20hunting%20in%20Windows%20Defender%20ATP%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20you%20should%20be%20all%20set%20to%20start%20using%20Advanced%20Hunting%20to%20proactively%20search%20for%20suspicious%20activity%20in%20your%20environment.%20If%20you%20have%20questions%2C%20feel%20free%20to%20reach%20me%20on%20my%20Twitter%20handle%3A%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FMiladMSFT%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40MiladMSFT%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-215835%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emilada%40microsoft.com%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

We’ve recently released a capability called Advanced Hunting in Windows Defender ATP that allows you to get unfiltered access to the raw data inside your Windows Defender ATP tenant and proactively hunt for threats using a powerful search and query language.

 

Why should I care about Advanced Hunting?

 

There will be situations where you need to quickly determine if your organization is impacted by a threat that does not yet have pre-established indicators of compromise (IOC). Think of a new global outbreak, or a new waterhole technique which could have lured some of your end users, or a new 0-day exploit.

 

Imagine the following scenario.

 

It’s early morning and you just got to the office. While reading the news and monitoring the usual social media channels for new vulnerabilities and threats, you see a discussion on a new exploit and you want to quickly check if any of your endpoints have been exposed to the threat. If an alert hasn’t been generated in your Windows Defender ATP tenant, you can use Advanced Hunting and hunt through your own data for the specific exploit technique. Based on the results of your query, you’ll quickly be able to see relevant information and take swift action where needed.

 

How does Advanced Hunting work under the hood?

 

Advanced Hunting makes use of the Azure Kusto query language, which is the same language we use for Azure Log Analytics, and provides full access to raw data up to 30 days back.

The data model is simply made up by 10 tables in total, and all of the details on the fields of each table is available under our documentation, Advanced hunting reference in Windows Defender ATP.

 

  • Alert information: This table includes information related to alerts and related IOCs
  • Machine info: Includes properties of the devices (Name, OS platform and version, LoggedOn users, and others)
  • Machine network info (Preview): The device network interfaces related information
  • Process creation event: The process image file information, command line, and others
  • Load image: The process and loaded module information
  • Network communication events: The process and connection information
  • File creation events: The created file info
  • Registry activities: Which process change what key and which value
  • LogOn event: Who logged on, type of logon, permissions, and others
  • Events: A variety of Windows related events, for example telemetry from Windows Defender Exploit Guard

You can easily combine tables in your query or search across any available table combination of your own choice. Whatever is needed for you to hunt!

 

How do I write my first query?

 

The easiest way I found to teach someone Advanced Hunting is by comparing this capability with an Excel spreadsheet that you can pivot and apply filters on. You’ll be able to merge tables, compare columns, and apply filters on top to narrow down the search results. Advanced Hunting uses simple query language but powerful query language that returns a rich set of data.

 

Because of the richness of data, you will want to use filters wisely to reduce unnecessary noise into your analysis. The query language has plenty of useful operators, like the one that allows you to return up only a specific number of rows, which is useful to have for scenarios when you need a quick, performant, and focused set of results.

 

Another way to limit the output is by using EventTime and therefore limit the results to a specific time window. For more information, see Advanced Hunting query best practices.

 

Let’s take a closer look at this and get started. In our first example, we’ll use a table called ProcessCreationEvents and see what we can learn from there. First let’s look at the last 5 rows of ProcessCreationEvents and then let’s see what happens if instead of using the operator limit we use EventTime and filter for events that happened within the last hour.

 

ProcessCreationEvents
| limit 5

Image1.png

Image 1: Example query that returns random 5 rows of ProcessCreationEvents table, to quickly see some data

 

ProcessCreationEvents
| where EventTime > ago(1h) 

 Image2.png

Image 2: Example query that returns all events from ProcessCreationEvents table that happened within the last hour

Image3.png

Image 3: Outcome of ProcessCreationEvents with EventTime restriction

 

Now remember earlier I compared this with an Excel spreadsheet. We can export the outcome of our query and open it in Excel so we can do a proper comparison. As you can see in the following image, all the rows that I mentioned earlier are displayed.

 

Image4.png

Image 4: Exported outcome of ProcessCreationEvents with EventTime restriction which is started in Excel

 

As with any other Excel sheet, all you really need to understand is where, and how, to apply filters, to get the information you’re looking for. When you master it, you will master Advanced Hunting!

With that in mind, it’s time to learn a couple of more operators and make use of them inside a query.

 

How do I filter for specific activities?

There are several ways to apply filters for specific data. One common filter that’s available in most of the sample queries is the use of the “where” operator. This operator allows you to apply filters to a specific column within a table. For example, if you want to search for ProcessCreationEvents, where the FileName is powershell.exe. all you need to do is apply the operator in the following query:

 

 

ProcessCreationEvents
| where FileName == "powershell.exe"

Image5.png

 

Image 5: Example query that shows all ProcessCreationEvents where the FileName is powershell.exe

 

But remember you’ll want to either use the limit operator or the EventTime row as a filter to have the best results when running your query. Also note that sometimes you might not have the absolute filename or might be dealing with a malicious file that constantly changes names. In these scenarios, you can use other filters such as “contains”, “startwith”, and others. 

 

Image6.png

Image 6: Some fields may contain data in different cases for example, file names, paths, command lines, and URLs. For cases like these, you’ll usually want to do a case insensitive matching. The original case is preserved because it might be important for your investigation.

 

ProcessCreationEvents
| where FileName =~ "powershell.exe"
| limit 5

Image7.png

 

Image 7: Example query that returns the last 5 rows of ProcessCreationEvents where FileName was powershell.exe. We are using =~ making sure it is case-insensitive.

 

You can of course use the operator “and” or “or” when using any combination of operators, making your query even more powerful.

 

ProcessCreationEvents
| where FileName =~ "powershell.exe"
or FileName =~ "cmd.exe"
| limit 5  

 Image8.png

Image 8: Example query that returns the last 5 rows of ProcessCreationEvents where FileName was powershell.exe or cmd.exe

 

In some instances, you might want to search for specific information across multiple tables. For that scenario, you can use the “find” operator. Think of the scenario where you are aware of a specific malicious file hash and you want to know details of that file hash across FileCreationEvents, ProcessCreationEvents, and NetworkCommunicatonEvents.

 

let fileHash = "e152f7ce2d3a4349ac583580c2caf8f72fac16ba";
find in (FileCreationEvents, ProcessCreationEvents, NetworkCommunicationEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
project ComputerName, ActionType, FileName, EventTime

Image9.png

Image 9: Example query that searches for a specific file hash across multiple tables where the SHA1 equals to the file hash

 

How do I tailor the outcome of a query?

 

At some point, you may want to tailor the outcome of a query after running it so that you can see the most relevant information as quickly as possible. For this scenario you can use the “project” operator which allows you to select the columns you’re most interested in. Simply select which columns you want to visualize.

 

ProcessCreationEvents
| where FileName == "powershell.exe"
or FileName == "cmd.exe"
| limit 5
| project EventTime, ComputerName, ProcessCommandLine

Image10.png

Image 10: Example query that returns the last 5 rows of ProcessCreationEvents where FileName was powershell.exe or cmd.exe, note this time we are using == which makes it case sensitive and where the outcome is filtered to show you EventTime, ComputerName and ProcessCommandLine

 

Image11.png

Image 11: Result of the previous query

 

There may be scenarios when you want to keep track of how many times a specific event happened on an endpoint. You can use the “summarize” operator for that, which allows you to produce a table that aggregates the content of the input table in combination with count() that will count the number of rows or dcount() that will count the distinct values.

 

ProcessCreationEvents
| where FileName == "powershell.exe"
| summarize count()

Image12.png

Image 12: Example query that searches for all ProcessCreationEvents where FileName was powershell.exe and gives as outcome the total count it has been discovered

 

Image13.png

Image 13: In the above example, the result shows 25 endpoints had ProcessCreationEvents that originated by FileName powershell.exe

 

ProcessCreationEvents
| where FileName == "powershell.exe"
| summarize dcount(ComputerName)

Image14.png

Image 14: Query that searches for all ProcessCreationEvents where FileName was powershell.exe and produces a result that shows the total count of distinct computer names where it was discovered

Image15.png

Image 15: In the above example, the result shows 8 distinct endpoints had ProcessCreationEvents where the FileName powershell.exe was seen

 

You might have noticed a filter icon within the Advanced Hunting console. This is a useful feature to further optimize your query by adding additional filters based on the current outcome of your existing query.

Image16.png

Image 16: select the filter option to further optimize your query

 

Image17.png

 

Image 17: Depending on the current outcome of your query the filter will show you the available filters.

 

Choosing the minus icon will exclude a certain attribute from the query while the addition icon will include it. Once you select any additional filters Run query turns blue and you will be able to run an updated query.

 

How do I join multiple tables in one query?

 

It almost feels like that there is an operator for anything you might want to do inside Advanced Hunting. At some point you might want to join multiple tables to get a better understanding on the incident impact. For that scenario, you can use the “join” operator.

 

FileCreationEvents
| where EventTime > ago(30d)
| project MachineId, FileName, SHA1, FolderPath
| join kind= inner (
	ProcessCreationEvents
	| where EventTime > ago(30d)
	| project MachineId, FileName, SHA1, FolderPath
) on MachineId, SHA1, FolderPath, FileName
| limit 10

Image18.png

Image 18: Example query that joins FileCreationEvents with ProcessCreationEvents where the result shows a full perspective on the files that got created and executed

 

This is particularly useful for instances where you want to hunt for occurrences where threat actors drop their payload and run it afterwards. This way you can correlate the data and don’t have to write and run two different queries.

 

Breakdown of some of the sample queries

 

PowerShell execution events that could involve downloads

 

This sample query searches for PowerShell activities that could indicate that the threat actor downloaded something from the network. Let’s break down the query to better understand how and why it is built in this way.

 

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
   or ProcessCommandLine has "DownloadFile"
   or ProcessCommandLine has "Invoke-WebRequest"
   or ProcessCommandLine has "Invoke-Shellcode"
   or ProcessCommandLine contains "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime

Image19.png

Image 19: PowerShell execution events that could involve downloads sample query

 

ProcessCreationEvents

Table selected

| where EventTime > ago(7d)

Only looking for events happened last 7 days

| where FileName in~ (“powershell.exe”, “powershell_ise.exe”)

Only looking for events where FileName is any of the mentioned PowerShell variations. Note because we use in ~ it is case-insensitive.

| where ProcessCommandLine has "Net.WebClient"

        or ProcessCommandLine has "DownloadFile"

        or ProcessCommandLine has "Invoke-WebRequest"

        or ProcessCommandLine has "Invoke-Shellcode"

        or ProcessCommandLine has "http:"

Only looking for PowerShell events where the used command line is any of the mentioned ones in the query

| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine

Makes sure the outcome only shows EventTime, ComputerName, InitiatingProcessFileName, FileName and ProcessComandLine

| top 100 by EventTime

Ensures that the records are ordered by the top 100 of the EventTime

 

Identifying Base64 decoded payload execution

 

It has become very common for threat actors to do a Base64 decoding on their malicious payload to hide their traps.

 

ProcessCreationEvents 
| where EventTime > ago(14d) 
| where ProcessCommandLine contains ".decode('base64')"
        or ProcessCommandLine contains "base64 --decode"
        or ProcessCommandLine contains ".decode64(" 
| project EventTime , ComputerName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine 
| top 100 by EventTime 

Image20.png

Image 20: Identifying Base64 decoded payload execution

 

ProcessCreationEvents

Table selected

| where EventTime > ago(14d)

Only looking for events happened last 14 days

| where ProcessCommandLine contains ".decode('base64')"

        or ProcessCommandLine contains "base64 --decode"

        or ProcessCommandLine contains ".decode64("

Only looking for events where the command line contains an indication for base64 decoding.

     -> .decode('base64')

     -> base64 –decode

     -> .decode64(

| project EventTime , ComputerName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine

Make sure that the outcome only shows EventTime , ComputerName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine

| top 100 by EventTime

Ensures that the records are ordered by the top 100 of the EventTime

 

Identifying network connections to known Dofoil NameCoin servers

 

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. The sample query below allows you to quickly determine if there’s been any network connections to known Dofoil NameCoin servers within the last 30 days from endpoints in your network.

 

NetworkCommunicationEvents 
| where RemoteIP in ("139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53", "62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18", "62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34","193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7")
| project ComputerName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort

Image21.png

Image 21: Identifying network connections to known Dofoil NameCoin servers

 

NetworkCommunicationEvents

Table selected

| where RemoteIP in ("139.59.208.246","130.255.73.90","31.3.135.232",

"52.174.55.168", "185.121.177.177","185.121.177.53","62.113.203.55",

"144.76.133.38","169.239.202.202","5.135.183.146",

"142.0.68.13","103.253.12.18","62.112.8.85",

"69.164.196.21" ,"107.150.40.234","162.211.64.20","217.12.210.54"

,"89.18.27.34","193.183.98.154","51.255.167.0"

,"91.121.155.13","87.98.175.85","185.97.7.7")

Only looking for network connection where the RemoteIP is any of the mentioned ones in the query

| project ComputerName,

InitiatingProcessCreationTime,

InitiatingProcessFileName,

InitiatingProcessCommandLine,

RemoteIP, RemotePort

Makes sure the outcome only shows ComputerName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort

 

Knowledge Check

 

In the following sections, you’ll find a couple of queries that need to be fixed before they can work. Try to find the problem and address it so that the query can work. Don’t worry, there are some hints along the way.

 

NetworkCommunicationEvents
| where RemoteIP in (“msupdater.com”, “twitterdocs.com”)
| summarize by ComputerName, InitiatingProcessComandLine

Image22.png

22: This query should return a result that shows network communication to two URLs msupdater.com and twitterdocs.com 

 

Image23.png

Image 23: This query should return a result that shows files downloaded through Microsoft Edge and returns the columns EventTime, ComputerName, InitiatingProcessFileName, FileName and FolderPath

 

How do I manage queries?

 

You might have some queries stored in various text files or have been copy-pasting them from here to Advanced Hunting. Advanced Hunting allows you to save your queries and share them within your tenant with your peers.

 

Image24.png

Image 24: You can choose Save or Save As to select a folder location

 

Image25.png

Image 25: Choose if you want the query to be shared across your organization or only available to you

 

Summary

 

We regularly publish new sample queries on GitHub. I highly recommend everyone to check these queries regularly. See, Sample queries for Advanced hunting in Windows Defender ATP.

 

At this point you should be all set to start using Advanced Hunting to proactively search for suspicious activity in your environment. If you have questions, feel free to reach me on my Twitter handle: @MiladMSFT.

1 Comment
Occasional Contributor

Great post @Milad Aslaner

I will take the chance to add some inspiration to the hunting :)

 

Example:

An event (let's call it Event A) occour but is by itself not classed as malicious. However if Event B accours after a certain amout of time we have an incident. But Event B is by itself not malicious

 

Solution:

This example is to hunt for a USB Rubber Ducky which is configured to execute powershell and run some commands

 

First we will Query for the device connection where device description is "HID Keyboard Device" but this event is, by itself not malicious

 

 

let MalPnPDevices =
    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | where parsed.DeviceDescription == "HID Keyboard Device"
    | project PluginTime=EventTime, ComputerName,parsed.ClassName, parsed.DeviceId, parsed.DeviceDescription;

After this event we want to see if we have a cmd or powershell execution to determain if this is a USB Rubber Ducky/Bad USB.

To achieve this we use the EventTime to compare with the eventtime of the process start

 

 

ProcessCreationEvents
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine startswith "cmd"     
| project ProcessCommandLine, ComputerName, EventTime, ReportId, MachineId
| join kind=inner MalPnPDevices on ComputerName
| where (EventTime-PluginTime) between (0min..10s)

 

We join the first result with the new statement and look for the event time and make sure that the events were recorded within 10 seconds.

(The reson is that the attacker can configure the ducky to delay for x amount of seconds which you normaly do to have time for driver to load, but from attacker perspective you would normaly want the payload to execute as soon as possible) of course you can change the "between seconds" to whatever you want and this is just an example).

 

Output:

example_hunting.png

 

 

To use this example you may have to tweak it a bit to avoid FPs but this post is more to inspire to extend the queries.

// Hunting for malicious HID Keyboard devices
// PNP Event and Powershell or CMD within 10 seconds after driver load
let MalPnPDevices =
    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | where parsed.DeviceDescription == "HID Keyboard Device"
    | project PluginTime=EventTime, ComputerName,parsed.ClassName, parsed.DeviceId, parsed.DeviceDescription, AdditionalFields;
ProcessCreationEvents
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine startswith "cmd"         
| project ProcessCommandLine, ComputerName, EventTime, ReportId, MachineId
| join kind=inner MalPnPDevices on ComputerName
| where (EventTime-PluginTime) between (0min..10s)

 

Other example scenarios

Event A and then look for a outbound Connection,  inbound Connection and then a process start.. 

 

Happy hunting! :)