With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To help get you started, here are some examples that will give you a feel of Advanced Hunting and how it can help with your day-to-day hunting tasks. These examples cover new vulnerabilities as well as classic techniques used by attackers in the wild.
0-day Flash exploit attacks
NetworkCommunicationEvents
| where EventTime > ago(14d)
| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentName =~ "excel.exe"
| where RemoteUrl endswith ".kr"
| project EventTime, ComputerName, RemoteIP, RemoteUrl
| top 100 by EventTime
Attacks exploiting the Electron framework vulnerability
ProcessCreationEvents
| where EventTime > ago(14d)
| where FileName in ("code.exe", "skype.exe", "slack.exe", "teams.exe")
| where InitiatingProcessFileName in ("iexplore.exe", "runtimebroker.exe", "chrome.exe")
| where ProcessCommandLine has "--gpu-launcher"
| summarize FirstEvent=min(EventTime), LastEvent=max(EventTime) by ComputerName, ProcessCommandLine, FileName, InitiatingProcessFileName
Enumeration of users/groups for lateral movement
ProcessCreationEvents
| where EventTime > ago(14d)
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain')
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)
| filter Target != ''
| project AccountName, Target, ProcessCommandLine, ComputerName, EventTime
| sort by AccountName, Target
Sticky key attacks
let PrevalentCmdExeHash =
ProcessCreationEvents
| where EventTime > ago(14d)
| where FileName =~ 'cmd.exe'
| summarize count(ComputerName) by SHA1
| where count_ComputerName > 1000;
PrevalentCmdExeHash
| join kind=inner
(
ProcessCreationEvents
| project EventTime, ComputerName, ProcessCommandLine, FileName, SHA1
| where EventTime > ago(7d)
| where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe")
)
on SHA1
If you enjoyed using these examples, check out the default saved queries available on the Advanced Hunting page. Let us know what you think through the feedback system on the menu (click the smiley icon) or join the community in building powerful queries using the Advanced Hunting GitHub repository.
Thank you!
Windows Defender ATP Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.