%3CLINGO-SUB%20id%3D%22lingo-sub-195050%22%20slang%3D%22en-US%22%3EGo%20hunt%2C%20join%20us%20on%20GitHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195050%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99d%20like%20to%20invite%20you%20to%20explore%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FwindowsDefenderATP-Hunting-Queries%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%20repository%3C%2FA%3E%20of%20sample%20queries%20for%20Advanced%20hunting%20in%20Windows%20Defender%20Advanced%20Threat%20Protection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20has%20been%20exciting%20to%20see%20thousands%20of%20customers%20using%20our%20new%20Advanced%20hunting%20capabilities.%20We%20would%20like%20to%20take%20it%20a%20step%20forward%20by%20enabling%20our%20users%20to%20share%20their%20knowledge%20with%20the%20community%20and%20help%20others%20identify%20breaches%20and%20other%20unwanted%20activity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EGot%20your%20own%20interesting%20query%3F%3C%2FEM%3E%3C%2FSTRONG%3E%20Everyone%20is%20welcome%20to%20contribute%20queries%20%E2%80%93%20so%20come%20and%20join%20the%20fun!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EVisit%20the%20repository%20regularly%20to%20get%20hunting%20ideas%2C%20learn%20more%20about%20the%20query%20language%20and%20available%20data%2C%20and%20get%20familiar%20with%20specific%20attacker%20campaigns%20and%20%3CEM%3Etactics%2C%20techniques%2C%20and%20procedures%3C%2FEM%3E%20(TTPs).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20queries%20in%20the%20repository%20can%20vary%20in%20complexity%20and%20purpose.%20To%20give%20a%20few%20examples%2C%20these%20queries%20could%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EHunt%20for%20known%20TTPs%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FPersistence%2FAccessibility%2520Features.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPersistence%20through%20accessibility%20features%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3EJoin%20multiple%20noisy%20signals%20together%20to%20find%20gold%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FDelivery%2FDoc%2520attachment%2520with%2520link%2520to%2520download.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDoc%20attachment%20%26gt%3B%20Click%20on%20link%20%26nbsp%3B%26gt%3B%20Browser%20download%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3EFocus%20on%20a%20single%20tool%20usage%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FDiscovery%2FEnumeration%2520of%2520users%2520%2526%2520groups%2520for%2520lateral%2520movement.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnumeration%20of%20users%20or%20groups%20using%20net.exe%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3ESlice%20and%20dice%20the%20signals%20from%20Windows%20Defender%20suite%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FProtection%2520events%2FExploitGuardBlockOfficeChildProcess%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExploit%20Guard%20audits%20and%20blocks%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3ETrack%20concrete%20CVEs%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FExploits%2FElectron-CVE-2018-1000006.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2018-1000006%3C%2FA%3E)%20or%20campaigns%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FCampaigns%2FDofoilNameCoinServerTraffic.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDofoil%3C%2FA%3E)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20so%20much%20more%E2%80%A6%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20you%20at%20the%20hunting%20grounds!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EWindows%20Defender%20ATP%20team%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F34384iD8D4FC3F23BFD148%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SmbScanQueryExample.png%22%20title%3D%22SmbScanQueryExample.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-195050%22%20slang%3D%22en-US%22%3E%3CP%3EAdvanced%20hunting%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-195050%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

We’d like to invite you to explore our GitHub repository of sample queries for Advanced hunting in Windows Defender Advanced Threat Protection.

 

It has been exciting to see thousands of customers using our new Advanced hunting capabilities. We would like to take it a step forward by enabling our users to share their knowledge with the community and help others identify breaches and other unwanted activity.

 

Got your own interesting query? Everyone is welcome to contribute queries – so come and join the fun!

 

Visit the repository regularly to get hunting ideas, learn more about the query language and available data, and get familiar with specific attacker campaigns and tactics, techniques, and procedures (TTPs).

 

The queries in the repository can vary in complexity and purpose. To give a few examples, these queries could:

 

  1. Hunt for known TTPs (Persistence through accessibility features)
  2. Join multiple noisy signals together to find gold (Doc attachment > Click on link  > Browser download)
  3. Focus on a single tool usage (Enumeration of users or groups using net.exe)
  4. Slice and dice the signals from Windows Defender suite (Exploit Guard audits and blocks)
  5. Track concrete CVEs (CVE-2018-1000006) or campaigns (Dofoil)

 

And so much more…

 

See you at the hunting grounds!

 

Thanks,

Windows Defender ATP team

 

 

SmbScanQueryExample.png