We’d like to invite you to explore our https://github.com/Microsoft/windowsDefenderATP-Hunting-Queries/ of sample queries for Advanced hunting in Windows Defender Advanced Threat Protection.
It has been exciting to see thousands of customers using our new Advanced hunting capabilities. We would like to take it a step forward by enabling our users to share their knowledge with the community and help others identify breaches and other unwanted activity.
Got your own interesting query? Everyone is welcome to contribute queries – so come and join the fun!
Visit the repository regularly to get hunting ideas, learn more about the query language and available data, and get familiar with specific attacker campaigns and tactics, techniques, and procedures (TTPs).
The queries in the repository can vary in complexity and purpose. To give a few examples, these queries could:
- Hunt for known TTPs (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Persistence/Accessibility%20Features.txt)
- Join multiple noisy signals together to find gold (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Delivery/Doc%20attachment%20with%20link%20to%20download.txt)
- Focus on a single tool usage (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Discovery/Enumeration%20of%20users%20%26%20groups%20for%20lateral%20movement.txt)
- Slice and dice the signals from Windows Defender suite (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Protection%20events/ExploitGuardBlockOfficeChildProcess)
- Track concrete CVEs (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Exploits/Electron-CVE-2018-1000006.txt) or campaigns (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Campaigns/DofoilNameCoinServerTraffic.txt)
And so much more…
See you at the hunting grounds!
Thanks,
Windows Defender ATP team
