Unleash the Hunter in You

Published Mar 19 2018 07:02 AM 6,393 Views

With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To help get you started, here are some examples that will give you a feel of Advanced Hunting and how it can help with your day-to-day hunting tasks. These examples cover new vulnerabilities as well as classic techniques used  by attackers in the wild.


0-day Flash exploit attacks

  • Vulnerability overview: Zero-day remote code execution (RCE) exploit for the Adobe Flash Player vulnerability CVE-2018-4878 actively being used in the wild. Check out this blog post for more details.
  • Query goal: Finds characteristics related to attacks. This query checks for specific processes and URLs used in the attack.
  • Query:


| where EventTime > ago(14d)

| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentName =~ "excel.exe"

| where RemoteUrl endswith ".kr"

| project EventTime, ComputerName, RemoteIP, RemoteUrl

| top 100 by EventTime


Attacks exploiting the Electron framework vulnerability

  • Vulnerability overview: Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps. The vulnerability affects Electron apps that use custom protocol handlers. Read this article for more details.
  • Query goal: The query checks process command lines to find machines where there have been attempts to exploit the Protocol Handler Vulnerability, which affects apps that are based on the Electron platform, such as Skype, Teams, and Slack, and are registered as default protocol handlers.
  • Query:


| where EventTime > ago(14d)

| where FileName in ("code.exe", "skype.exe", "slack.exe", "teams.exe")

| where InitiatingProcessFileName in ("iexplore.exe", "runtimebroker.exe", "chrome.exe")

| where ProcessCommandLine has "--gpu-launcher"

| summarize FirstEvent=min(EventTime), LastEvent=max(EventTime) by ComputerName, ProcessCommandLine, FileName, InitiatingProcessFileName


Enumeration of users/groups for lateral movement

  • Background: Enumeration of users and groups is an attacker activity commonly preceding privilege escalation and lateral movement attempts. These resources are typically enumerated to identify possible targets for compromise within the breached network.
  • Query goal: The query finds attempts to list users or groups using Net commands.
  • Query:


| where EventTime > ago(14d)

| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\'  and ProcessCommandLine !contains '/add'

| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain')

| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)

| filter Target  != ''

| project AccountName, Target, ProcessCommandLine, ComputerName, EventTime

| sort by AccountName, Target


Sticky key attacks

  • Background: The sticky key accessibility program (sethc.exe) is often used to launch attacks because it can be launched without signing in to Windows. Attackers often replace this accessibility program with more powerful applications like cmd.exe to perform more complex tasks. For more information about sticky key attacks, read this article by the MITRE ATT&CK™ team.
  • Query goal: This query looks for attempts to launch cmd.exe in place of accessibility programs.
  • Query:

let PrevalentCmdExeHash =


| where EventTime > ago(14d)

| where FileName =~ 'cmd.exe'   

| summarize count(ComputerName) by SHA1

| where count_ComputerName > 1000;


| join kind=inner



    | project EventTime, ComputerName, ProcessCommandLine, FileName, SHA1

    | where EventTime > ago(7d)

    | where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe")


on SHA1



If you enjoyed using these examples, check out the default saved queries available on the Advanced Hunting page. Let us know what you think through the feedback system on the menu (click the smiley icon) or join the community in building powerful queries using the Advanced Hunting GitHub repository.


Thank you!


Windows Defender ATP Team

Senior Member

Love the Advanced Hunting, it would be great if there was a  forum for end users to share their queries or suggest new Alerts for Microsoft to add to the product. Similar to how Encase allows users to post and share endscripts.


Hi Marc,

Great to hear!

we've created our own GitHub repository to enable our users to share and contribute - 


Great work! I love this advanced hunting. I was wondering if there is a function to get the bottom events instead of the top events?


Hi Keith, 



when soring your results you can use asc instead desc .


Occasional Visitor

Any chance you guys will be adding 'Reverse DNS Names' to the NetworkCommunicationEvent as a searchable criteria for the RemoteIp?  I'm assuming that data in the Security Console is populated on-demand when hitting an IP Overview page rather than continuously stored, but being able to use FQDNs (especially with wildcards, regex, etc) for searching malware domains, or a set of domains associated with various campaigns would be very powerful!  Attaching a screenshot of Mac-based OceanLotus backdoor and the IPs where the C&C domains show up.


Senior Member

AH is evolving in a very positive way. I have some follow up questions:


  1. Are you looking to offer import capabilities, something along the lines of consumers downloading IOC standard type formats (OpenIOC_1.1, STIX, YARA) that can be converted into a format to be used in AH?
  2. Would be great to create a query, schedule it to run and have a number of alert notification capabilities e.g. via a dashboard in the portal, email etc. Is this something on your roadmap?
  3. Any thoughts on the ability to ingest results of queries into a SIEM?



This uses the new Log Analytics query language - but can we do things like:

  • Use Microsoft Flow to schedule queries
  • Can we save the output of queries to some persistent storage - right now we can manually click on Export to Excel
  • Can Log Analytics or PowerBI connect to the hunting data (The current PowerBI dashboard for Defender ATP seems to be focused on raised alerts - the data set doesn't seem to show the full hunting data)


So far this looks very useful.




Where do we post feedback and/or bugs with Advanced Hunting? Uservoice?


I have had a number of odd glitches with the "Export to Excel" after running a saved query.





Hi Sean,

We have a custom TI interface which you can use to convert your IOC streams into and feed to WDATP. Once done the system will constantly match those against incoming telemetry and raise alert in case of a match (documentation is here)

Regarding the schedule queries and alert on the results - yes this is on our RS5 list. The intent here is to make those standard alerts, which will also be available for pulling over the SIEM interface




If I read your comment correctly you are asking for API access to the advanced hunting capabilities.
Please submit this request via the portal feedback option (and include your email address).


I was implying two questions with my "connecting log analytics or power bi" question:
It looks like Advanced Hunting is based on Log Analytics (given the volume of data and the query language - why wouldn't you leverage a service which is exactly designed for the massive data quantity and query system) ---
So if its based on Log Analytics -- well that already has a system for linking to PowerBI for reporting and visualization and it also has a Microsoft Flow connector for triggering actions.

If Advanced Hunting is a NOT a view/skin of data stored in Log Analytics, then yes I would be interested in an API or some other interface so I could visualize data in PowerBI.

Example: Lets say we create some test campaigns to find out if users fall for click-bait-phishing links that snuck into a Microsoft teams discussion. Being able perform analysis on user behavior just before and after falling for the click-bait, on a day by day as well as over a 30, 60, 90 day period just might be interesting.

(but isn't that the point of a having this large data set -- you might be able to find patterns 15, 30, 60, 90 days later that you didn't think of in advance, in part to determine if other devices were compromised? )

Advanced hunting is not NOT a view/skin of data stored in Log Analytics. 

Both us and Log Analytics use the same technology, hence the reason we are sharing the query language details. 




Occasional Visitor

Great idea!



I would be great to collect the appCompatCache and/or Amcache.hve entries, to hunt for Program execution. Is this something you guys have on the roadmap?





Some feedback on the language:


I building test queries - and didn't want to overload the system so I was doing things like 

| where EventTime < ago(4h)


However it seems to ignore that in favor of the "Last 30 days" drop down above.


NetworkCommunicationsEvents | RemoteURL seems to not return the full URL - just up to the domain.. so it would be more RemoteDomain_URI   


i.e. if user browses to "https://techcommunity.microsoft.com/t5/forums/replypage/board-id/WDATPNew" the RemoteURL seems to just have "techcommunity.microsoft.com"


I also tried using Parse_Url and such from:



but those scalar's don't seem to be implemented yet?





Thanks Neil for your feedback - we appreciate it. :)


RE time filter:

We currently support hunting only on the last 30 days.

Any time filter you add on EventTime field is an additional filter applied - so in your example it would show all events that occur between 30 days ago and 4 hours ago.

If I misunderstood your question, please send a frownie feedback from the portal (top right of the page), with your query shown in the page, so that we can see the query details and reply more accurately.


RE RemoteUrl field in NetworkCommunicationsEvents:

You are correct. What this column currently contains in this table is a DNS entry, not a full URL.
However, within a few weeks, some of the events uploaded to this table will contain a full URL.

Also, other events in other tables already contain full URL - e.g. URLs that were blocked, URLs that were opened from outlook/office, etc.

Background on our schema principals:

We have chosen to keep our schema column names consistent between the different tables and events. In example, we could have called the SHA1 field in the ProcessCreationEvents "ProcessImageFileSHA1" and to call it in the FileCreationEvents "CreatedFileSHA1" - but this would eventually create a very complex schema that is hard to learn and to query on top of. Similarly, some fields may contain data with slightly different format for some events - e.g. some events may sometime report the full FQDN in the RemoteComputerName field, and others may specify the NETBIOS name. It is problematic to put the two in a single column, but we think it would be more of an issue if we would have a different column for every such variation.

Future mitigation:

We will have more elaborate documentation in the future, that will explain for each ActionType what it is, and will also answer some FAQ on it - such as the issue described above.


RE parse_url:

parse_url function is supported.

See query example here: https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Delivery/Open%20email%20...


Hope this helps,


Version history
Last update:
‎Sep 16 2020 09:50 AM
Updated by: