Unleash the Hunter in You

Published Mar 19 2018 07:02 AM 6,807 Views
Microsoft

With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To help get you started, here are some examples that will give you a feel of Advanced Hunting and how it can help with your day-to-day hunting tasks. These examples cover new vulnerabilities as well as classic techniques used  by attackers in the wild.

 

0-day Flash exploit attacks

  • Vulnerability overview: Zero-day remote code execution (RCE) exploit for the Adobe Flash Player vulnerability CVE-2018-4878 actively being used in the wild. Check out this blog post for more details.
  • Query goal: Finds characteristics related to attacks. This query checks for specific processes and URLs used in the attack.
  • Query:

NetworkCommunicationEvents

| where EventTime > ago(14d)

| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentName =~ "excel.exe"

| where RemoteUrl endswith ".kr"

| project EventTime, ComputerName, RemoteIP, RemoteUrl

| top 100 by EventTime

 

Attacks exploiting the Electron framework vulnerability

  • Vulnerability overview: Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps. The vulnerability affects Electron apps that use custom protocol handlers. Read this article for more details.
  • Query goal: The query checks process command lines to find machines where there have been attempts to exploit the Protocol Handler Vulnerability, which affects apps that are based on the Electron platform, such as Skype, Teams, and Slack, and are registered as default protocol handlers.
  • Query:

ProcessCreationEvents 

| where EventTime > ago(14d)

| where FileName in ("code.exe", "skype.exe", "slack.exe", "teams.exe")

| where InitiatingProcessFileName in ("iexplore.exe", "runtimebroker.exe", "chrome.exe")

| where ProcessCommandLine has "--gpu-launcher"

| summarize FirstEvent=min(EventTime), LastEvent=max(EventTime) by ComputerName, ProcessCommandLine, FileName, InitiatingProcessFileName

 

Enumeration of users/groups for lateral movement

  • Background: Enumeration of users and groups is an attacker activity commonly preceding privilege escalation and lateral movement attempts. These resources are typically enumerated to identify possible targets for compromise within the breached network.
  • Query goal: The query finds attempts to list users or groups using Net commands.
  • Query:

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\'  and ProcessCommandLine !contains '/add'

| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain')

| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)

| filter Target  != ''

| project AccountName, Target, ProcessCommandLine, ComputerName, EventTime

| sort by AccountName, Target

 

Sticky key attacks

  • Background: The sticky key accessibility program (sethc.exe) is often used to launch attacks because it can be launched without signing in to Windows. Attackers often replace this accessibility program with more powerful applications like cmd.exe to perform more complex tasks. For more information about sticky key attacks, read this article by the MITRE ATT&CK™ team.
  • Query goal: This query looks for attempts to launch cmd.exe in place of accessibility programs.
  • Query:

let PrevalentCmdExeHash =

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName =~ 'cmd.exe'   

| summarize count(ComputerName) by SHA1

| where count_ComputerName > 1000;

PrevalentCmdExeHash

| join kind=inner

(

    ProcessCreationEvents

    | project EventTime, ComputerName, ProcessCommandLine, FileName, SHA1

    | where EventTime > ago(7d)

    | where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe")

)

on SHA1

 

 

If you enjoyed using these examples, check out the default saved queries available on the Advanced Hunting page. Let us know what you think through the feedback system on the menu (click the smiley icon) or join the community in building powerful queries using the Advanced Hunting GitHub repository.

 

Thank you!

 

Windows Defender ATP Team

16 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-192522%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192522%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Neil%20for%20your%20feedback%20-%20we%20appreciate%20it.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3ERE%20time%20filter%3A%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EWe%20currently%20support%20hunting%20only%20on%20the%20last%2030%20days.%3C%2FP%3E%0A%3CP%3EAny%20time%20filter%20you%20add%20on%20EventTime%20field%26nbsp%3Bis%20an%20additional%20filter%20applied%20-%20so%20in%20your%20example%20it%20would%20show%20all%20events%20that%20occur%20between%2030%20days%20ago%20and%204%20hours%20ago.%3C%2FP%3E%0A%3CP%3EIf%20I%20misunderstood%20your%20question%2C%20please%20send%20a%20frownie%20feedback%20from%20the%20portal%20(top%20right%20of%20the%20page)%2C%20with%20your%20query%20shown%20in%20the%20page%2C%20so%20that%20we%20can%20see%26nbsp%3Bthe%26nbsp%3Bquery%20details%20and%20reply%20more%20accurately.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3ERE%20RemoteUrl%20field%20in%26nbsp%3BNetworkCommunicationsEvents%3A%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20correct.%26nbsp%3BWhat%20this%20column%20currently%20contains%20in%20this%20table%20is%20a%20DNS%20entry%2C%20not%20a%20full%20URL.%3CBR%20%2F%3E%20However%2C%26nbsp%3Bwithin%20a%20few%20weeks%2C%20some%20of%20the%26nbsp%3Bevents%20uploaded%20to%20this%20table%20will%20contain%20a%20full%20URL.%3C%2FP%3E%0A%3CP%3EAlso%2C%26nbsp%3Bother%20events%20in%20other%20tables%26nbsp%3Balready%26nbsp%3Bcontain%20full%20URL%20-%20e.g.%20URLs%20that%20were%20blocked%2C%20URLs%20that%20were%20opened%20from%20outlook%2Foffice%2C%20etc.%3C%2FP%3E%0A%3CP%3EBackground%20on%20our%20schema%20principals%3A%3C%2FP%3E%0A%3CP%3EWe%20have%20chosen%20to%20keep%20our%20schema%20column%20names%20consistent%20between%20the%20different%20tables%20and%20events.%20In%20example%2C%20we%20could%20have%20called%20the%20SHA1%20field%20in%20the%20ProcessCreationEvents%20%22ProcessImageFileSHA1%22%20and%20to%20call%20it%20in%20the%20FileCreationEvents%20%22CreatedFileSHA1%22%20-%20but%20this%20would%20eventually%20create%20a%20very%20complex%20schema%20that%20is%20hard%20to%20learn%20and%20to%20query%20on%20top%20of.%20Similarly%2C%20some%20fields%20may%20contain%20data%26nbsp%3Bwith%20slightly%20different%20format%20for%20some%20events%20-%20e.g.%20some%20events%20may%20sometime%20report%20the%20full%20FQDN%20in%20the%20RemoteComputerName%20field%2C%20and%20others%20may%20specify%20the%20NETBIOS%20name.%20It%20is%20problematic%20to%20put%20the%20two%20in%20a%20single%20column%2C%20but%20we%20think%20it%26nbsp%3Bwould%20be%20more%20of%20an%20issue%20if%20we%20would%20have%20a%20different%20column%20for%20every%20such%20variation.%3C%2FP%3E%0A%3CP%3EFuture%20mitigation%3A%3C%2FP%3E%0A%3CP%3EWe%20will%20have%26nbsp%3Bmore%20elaborate%20documentation%20in%20the%20future%2C%20that%20will%20explain%20for%20each%20ActionType%20what%20it%20is%2C%20and%20will%20also%26nbsp%3Banswer%20some%20FAQ%20on%20it%20-%20such%20as%20the%20issue%20described%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3ERE%20parse_url%3A%3C%2FU%3E%3C%2FP%3E%0A%3CP%3Eparse_url%20function%20is%20supported.%3C%2FP%3E%0A%3CP%3ESee%20query%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FDelivery%2FOpen%2520email%2520link.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2Fmaster%2FDelivery%2FOpen%2520email%2520link.txt%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%0A%3CP%3ETomer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192139%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192139%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20feedback%20on%20the%20language%3A%3C%2FP%3E%3CP%3E------%3C%2FP%3E%3CP%3EI%20building%20test%20queries%20-%20and%20didn't%20want%20to%20overload%20the%20system%20so%20I%20was%20doing%20things%20like%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20where%20EventTime%20%26lt%3B%20ago(4h)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20it%20seems%20to%20ignore%20that%20in%20favor%20of%20the%20%22Last%2030%20days%22%20drop%20down%20above.%3C%2FP%3E%3CP%3E-------%3C%2FP%3E%3CP%3ENetworkCommunicationsEvents%20%7C%20RemoteURL%20seems%20to%20not%20return%20the%20full%20URL%20-%20just%20up%20to%20the%20domain..%20so%20it%20would%20be%20more%20RemoteDomain_URI%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei.e.%20if%20user%20browses%20to%20%22%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fforums%2Freplypage%2Fboard-id%2FWDATPNew%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fforums%2Freplypage%2Fboard-id%2FWDATPNew%3C%2FA%3E%22%20the%20RemoteURL%20seems%20to%20just%20have%20%22techcommunity.microsoft.com%22%3C%2FP%3E%3CP%3E-------%3C%2FP%3E%3CP%3EI%20also%20tried%20using%20Parse_Url%20and%20such%20from%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fparse_url()%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fparse_url()%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20those%20scalar's%20don't%20seem%20to%20be%20implemented%20yet%3F%3C%2FP%3E%3CP%3E-------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Neil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191520%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20be%20great%20to%20collect%20the%20appCompatCache%20and%2For%20Amcache.hve%20entries%2C%20to%20hunt%20for%20Program%20execution.%20Is%20this%20something%20you%20guys%20have%20on%20the%20roadmap%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethx%3C%2FP%3E%3CP%3EKeith%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187593%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187593%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20idea!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187313%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187313%22%20slang%3D%22en-US%22%3E%3CP%3EAdvanced%20hunting%20is%20not%20%3CSPAN%3ENOT%20a%20view%2Fskin%20of%20data%20stored%20in%20Log%20Analytics.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBoth%20us%20and%20Log%20Analytics%20use%20the%20same%20technology%2C%20hence%20the%20reason%20we%20are%20sharing%20the%20query%20language%20details.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETomer%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187063%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187063%22%20slang%3D%22en-US%22%3ETomer%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20was%20implying%20two%20questions%20with%20my%20%22connecting%20log%20analytics%20or%20power%20bi%22%20question%3A%3CBR%20%2F%3EA)%3CBR%20%2F%3EIt%20looks%20like%20Advanced%20Hunting%20is%20based%20on%20Log%20Analytics%20(given%20the%20volume%20of%20data%20and%20the%20query%20language%20-%20why%20wouldn't%20you%20leverage%20a%20service%20which%20is%20exactly%20designed%20for%20the%20massive%20data%20quantity%20and%20query%20system)%20---%3CBR%20%2F%3ESo%20if%20its%20based%20on%20Log%20Analytics%20--%20well%20that%20already%20has%20a%20system%20for%20linking%20to%20PowerBI%20for%20reporting%20and%20visualization%20and%20it%20also%20has%20a%20Microsoft%20Flow%20connector%20for%20triggering%20actions.%3CBR%20%2F%3E%3CBR%20%2F%3EB)%3CBR%20%2F%3EIf%20Advanced%20Hunting%20is%20a%20NOT%20a%20view%2Fskin%20of%20data%20stored%20in%20Log%20Analytics%2C%20then%20yes%20I%20would%20be%20interested%20in%20an%20API%20or%20some%20other%20interface%20so%20I%20could%20visualize%20data%20in%20PowerBI.%3CBR%20%2F%3E%3CBR%20%2F%3EExample%3A%20Lets%20say%20we%20create%20some%20test%20campaigns%20to%20find%20out%20if%20users%20fall%20for%20click-bait-phishing%20links%20that%20snuck%20into%20a%20Microsoft%20teams%20discussion.%20Being%20able%20perform%20analysis%20on%20user%20behavior%20just%20before%20and%20after%20falling%20for%20the%20click-bait%2C%20on%20a%20day%20by%20day%20as%20well%20as%20over%20a%2030%2C%2060%2C%2090%20day%20period%20just%20might%20be%20interesting.%3CBR%20%2F%3E%3CBR%20%2F%3E(but%20isn't%20that%20the%20point%20of%20a%20having%20this%20large%20data%20set%20--%20you%20might%20be%20able%20to%20find%20patterns%2015%2C%2030%2C%2060%2C%2090%20days%20later%20that%20you%20didn't%20think%20of%20in%20advance%2C%20in%20part%20to%20determine%20if%20other%20devices%20were%20compromised%3F%20)%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187005%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187005%22%20slang%3D%22en-US%22%3ENeil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20read%20your%20comment%20correctly%20you%20are%20asking%20for%20API%20access%20to%20the%20advanced%20hunting%20capabilities.%20%3CBR%20%2F%3EPlease%20submit%20this%20request%20via%20the%20portal%20feedback%20option%20(and%20include%20your%20email%20address).%20%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3ETomer%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187004%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187004%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sean%2C%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20custom%20TI%20interface%20which%20you%20can%20use%20to%20convert%20your%20IOC%20streams%20into%20and%20feed%20to%20WDATP.%20Once%20done%20the%20system%20will%20constantly%20match%20those%20against%20incoming%20telemetry%20and%20raise%20alert%20in%20case%20of%20a%20match%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fuse-custom-ti-windows-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%20is%20here%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ERegarding%20the%20schedule%20queries%20and%20alert%20on%20the%20results%20-%20yes%20this%20is%20on%20our%20RS5%20list.%20The%20intent%20here%20is%20to%20make%20those%20standard%20alerts%2C%20which%20will%20also%20be%20available%20for%20pulling%20over%20the%20SIEM%20interface%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETomer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183340%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183340%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20do%20we%20post%20feedback%20and%2For%20bugs%20with%20Advanced%20Hunting%3F%20Uservoice%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20had%20a%20number%20of%20odd%20glitches%20with%20the%20%22Export%20to%20Excel%22%20after%20running%20a%20saved%20query.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182847%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182847%22%20slang%3D%22en-US%22%3E%3CP%3ELiza%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20uses%20the%20new%20Log%20Analytics%20query%20language%20-%20but%20can%20we%20do%20things%20like%3A%3C%2FP%3E%3CUL%3E%3CLI%3EUse%20Microsoft%20Flow%20to%20schedule%20queries%3C%2FLI%3E%3CLI%3ECan%20we%20save%20the%20output%20of%20queries%20to%20some%20persistent%20storage%20-%20right%20now%20we%20can%20manually%20click%20on%20Export%20to%20Excel%3C%2FLI%3E%3CLI%3ECan%20Log%20Analytics%20or%20PowerBI%20connect%20to%20the%20hunting%20data%20(The%20current%20PowerBI%20dashboard%20for%20Defender%20ATP%20seems%20to%20be%20focused%20on%20raised%20alerts%20-%20the%20data%20set%20doesn't%20seem%20to%20show%20the%20full%20hunting%20data)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%20this%20looks%20very%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Neil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182547%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182547%22%20slang%3D%22en-US%22%3E%3CP%3EAH%20is%20evolving%20in%20a%20very%20positive%20way.%20I%20have%20some%20follow%20up%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EAre%20you%20looking%20to%20offer%20import%20capabilities%2C%20something%20along%20the%20lines%20of%20consumers%20downloading%20IOC%20standard%20type%20formats%20(OpenIOC_1.1%2C%20STIX%2C%20YARA)%20that%20can%20be%20converted%20into%20a%20format%20to%20be%20used%20in%20AH%3F%3C%2FLI%3E%3CLI%3EWould%20be%20great%20to%20create%20a%20query%2C%20schedule%20it%20to%20run%20and%20have%20a%20number%20of%20alert%20notification%20capabilities%20e.g.%20via%20a%20dashboard%20in%20the%20portal%2C%20email%20etc.%20Is%20this%20something%20on%20your%20roadmap%3F%3C%2FLI%3E%3CLI%3EAny%20thoughts%20on%20the%20ability%20to%20ingest%20results%20of%20queries%20into%20a%20SIEM%3F%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182219%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182219%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20chance%20you%20guys%20will%20be%20adding%20'Reverse%20DNS%20Names'%20to%20the%20NetworkCommunicationEvent%20as%20a%20searchable%20criteria%20for%20the%20RemoteIp%3F%26nbsp%3B%20I'm%20assuming%20that%20data%20in%20the%20Security%20Console%20is%20populated%20on-demand%20when%20hitting%20an%20IP%20Overview%20page%20rather%20than%20continuously%20stored%2C%20but%20being%20able%20to%20use%20FQDNs%20(especially%20with%20wildcards%2C%20regex%2C%20etc)%20for%20searching%20malware%20domains%2C%20or%20a%20set%20of%20domains%20associated%20with%20various%20campaigns%20would%20be%20very%20powerful!%26nbsp%3B%20Attaching%20a%20screenshot%20of%20Mac-based%20OceanLotus%20backdoor%20and%20the%20IPs%20where%20the%20C%26amp%3BC%20domains%20show%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176500%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176500%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Keith%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewhen%20soring%20your%20results%20you%20can%20use%26nbsp%3B%3CSTRONG%3Easc%3C%2FSTRONG%3E%20instead%26nbsp%3B%3CSTRONG%3Edesc%3C%2FSTRONG%3E%20.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176277%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176277%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20work!%20I%20love%20this%20advanced%20hunting.%20I%20was%20wondering%20if%20there%20is%20a%20function%20to%20get%20the%20bottom%20events%20instead%20of%20the%20top%20events%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174425%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174425%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Marc%2C%3C%2FP%3E%0A%3CP%3EGreat%20to%20hear!%3C%2FP%3E%0A%3CP%3Ewe've%20created%20our%20own%20GitHub%20repository%20to%20enable%20our%20users%20to%20share%20and%20contribute%20-%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174135%22%20slang%3D%22en-US%22%3ERe%3A%20Unleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174135%22%20slang%3D%22en-US%22%3E%3CP%3ELove%20the%20Advanced%20Hunting%2C%20it%20would%20be%20great%20if%20there%20was%20a%26nbsp%3B%20forum%20for%20end%20users%20to%20share%20their%20queries%20or%20suggest%20new%26nbsp%3BAlerts%20for%20Microsoft%20to%20add%20to%20the%20product.%20Similar%20to%20how%20Encase%20allows%20users%20to%20post%20and%20share%20endscripts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173202%22%20slang%3D%22en-US%22%3EUnleash%20the%20Hunter%20in%20You%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173202%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Fhunting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Enew%20Advanced%20Hunting%20capability%3C%2FA%3E%20on%20Windows%20Defender%20Advanced%20Threat%20Protection%2C%20you%20have%20even%20more%20powerful%20tools%20for%20successfully%20tracking%20and%20identifying%20advanced%20persistent%20threats.%20To%20help%20get%20you%20started%2C%20here%20are%20some%20examples%20that%20will%20give%20you%20a%20feel%20of%20Advanced%20Hunting%20and%20how%20it%20can%20help%20with%20your%20day-to-day%20hunting%20tasks.%20These%20examples%20cover%20new%20vulnerabilities%20as%20well%20as%20classic%20techniques%20used%20%26nbsp%3Bby%20attackers%20in%20the%20wild.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3E0-day%20Flash%3C%2FFONT%3E%20exploit%20attacks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EVulnerability%20overview%3C%2FSTRONG%3E%3A%20Zero-day%20remote%20code%20execution%20(RCE)%20exploit%20for%20the%20Adobe%20Flash%20Player%20vulnerability%20CVE-2018-4878%20actively%20being%20used%20in%20the%20wild.%20Check%20out%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FThreat-Intelligence%2FZero-day-exploit-for-Flash-vulnerability-CVE-2018-4878%2Fm-p%2F152733%23M17%22%20target%3D%22_blank%22%3Ethis%20blog%3C%2FA%3E%20post%20for%20more%20details.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%20goal%3A%20%3C%2FSTRONG%3EFinds%20characteristics%20related%20to%20attacks.%20This%20query%20checks%20for%20specific%20processes%20and%20URLs%20used%20in%20the%20attack.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%3A%20%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ENetworkCommunicationEvents%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20EventTime%20%26gt%3B%20ago(14d)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20InitiatingProcessFileName%20%3D~%20%3CFONT%20color%3D%22%23993300%22%3E%22cmd.exe%22%3C%2FFONT%3E%20%3CFONT%20color%3D%22%230000FF%22%3Eand%3C%2FFONT%3E%20InitiatingProcessParentName%20%3D~%20%3CFONT%20color%3D%22%23993300%22%3E%22excel.exe%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20RemoteUrl%20%3CFONT%20color%3D%22%230000FF%22%3Eendswith%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E%22.kr%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Eproject%3C%2FFONT%3E%20EventTime%2C%20ComputerName%2C%20RemoteIP%2C%20RemoteUrl%3C%2FP%3E%0A%3CP%3E%7C%20top%20100%20by%20EventTime%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAttacks%20exploiting%20the%20%3CFONT%20color%3D%22%23FF0000%22%3EElectron%20framework%3C%2FFONT%3E%20vulnerability%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EVulnerability%20overview%3C%2FSTRONG%3E%3A%20Electron%20is%20a%20node.js%2C%20V8%2C%20and%20Chromium%20framework%20created%20for%20the%20development%20of%20cross-platform%20desktop%20apps.%20The%20vulnerability%20affects%20Electron%20apps%20that%20use%20custom%20protocol%20handlers.%20Read%20%3CA%20href%3D%22https%3A%2F%2Fwww.theregister.co.uk%2F2018%2F01%2F24%2Fskype_signal_slack_nherit_electron_vuln%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20for%20more%20details.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%20goal%3A%20%3C%2FSTRONG%3EThe%20query%20checks%20process%20command%20lines%20to%20find%20machines%20where%20there%20have%20been%20attempts%20to%20exploit%20the%20Protocol%20Handler%20Vulnerability%2C%20which%20affects%20apps%20that%20are%20based%20on%20the%20Electron%20platform%2C%20such%20as%20Skype%2C%20Teams%2C%20and%20Slack%2C%20and%20are%20registered%20as%20default%20protocol%20handlers.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%3A%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EProcessCreationEvents%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20EventTime%20%26gt%3B%20ago(14d)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20FileName%20%3CFONT%20color%3D%22%230000FF%22%3Ein%3C%2FFONT%3E%20(%3CFONT%20color%3D%22%23993300%22%3E%22code.exe%22%3C%2FFONT%3E%2C%20%3CFONT%20color%3D%22%23993300%22%3E%22skype.exe%22%3C%2FFONT%3E%2C%20%3CFONT%20color%3D%22%23993300%22%3E%22slack.exe%22%3C%2FFONT%3E%2C%20%3CFONT%20color%3D%22%23993300%22%3E%22teams.exe%22%3C%2FFONT%3E)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20InitiatingProcessFileName%20%3CFONT%20color%3D%22%230000FF%22%3Ein%3C%2FFONT%3E%20(%3CFONT%20color%3D%22%23993300%22%3E%22iexplore.exe%22%3C%2FFONT%3E%2C%20%3CFONT%20color%3D%22%23993300%22%3E%22runtimebroker.exe%22%3C%2FFONT%3E%2C%20%3CFONT%20color%3D%22%23993300%22%3E%22chrome.exe%22%3C%2FFONT%3E)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20ProcessCommandLine%20%3CFONT%20color%3D%22%230000FF%22%3Ehas%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E%22--gpu-launcher%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Esummarize%3C%2FFONT%3E%20FirstEvent%3Dmin(EventTime)%2C%20LastEvent%3Dmax(EventTime)%20%3CFONT%20color%3D%22%230000FF%22%3Eby%3C%2FFONT%3E%20ComputerName%2C%20ProcessCommandLine%2C%20FileName%2C%20InitiatingProcessFileName%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3EEnumeration%20of%20users%2Fgroups%3C%2FFONT%3E%20for%20lateral%20movement%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EBackground%3C%2FSTRONG%3E%3A%20Enumeration%20of%20users%20and%20groups%20is%20an%20attacker%20activity%20commonly%20preceding%20privilege%20escalation%20and%20lateral%20movement%20attempts.%20These%20resources%20are%20typically%20enumerated%20to%20identify%20possible%20targets%20for%20compromise%20within%20the%20breached%20network.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%20goal%3A%20%3C%2FSTRONG%3EThe%20query%20finds%20attempts%20to%20list%20users%20or%20groups%20using%20Net%20commands.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%3A%20%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EProcessCreationEvents%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20EventTime%20%26gt%3B%20ago(14d)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20FileName%20%3D%3D%20%3CFONT%20color%3D%22%23993300%22%3E'net.exe'%3C%2FFONT%3E%20%3CFONT%20color%3D%22%230000FF%22%3Eand%3C%2FFONT%3E%20AccountName%20!%3D%20%3CFONT%20color%3D%22%23993300%22%3E%22%22%3C%2FFONT%3E%20%3CFONT%20color%3D%22%230000FF%22%3Eand%3C%2FFONT%3E%20ProcessCommandLine%20!%3CFONT%20color%3D%22%230000FF%22%3Econtains%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E'%5C%5C'%26nbsp%3B%3C%2FFONT%3E%20and%20ProcessCommandLine%20!%3CFONT%20color%3D%22%230000FF%22%3Econtains%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E'%2Fadd'%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20(ProcessCommandLine%20%3CFONT%20color%3D%22%230000FF%22%3Econtains%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E'%20user%20'%3C%2FFONT%3E%20%3CFONT%20color%3D%22%230000FF%22%3Eor%3C%2FFONT%3E%20ProcessCommandLine%20%3CFONT%20color%3D%22%230000FF%22%3Econtains%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23993300%22%3E'%20group%20'%3C%2FFONT%3E)%20%3CFONT%20color%3D%22%230000FF%22%3Eand%3C%2FFONT%3E%20(ProcessCommandLine%20endswith%3CFONT%20color%3D%22%23993300%22%3E%20'%20%2Fdo'%3C%2FFONT%3E%20%3CFONT%20color%3D%22%230000FF%22%3Eor%3C%2FFONT%3E%20ProcessCommandLine%20%3CFONT%20color%3D%22%230000FF%22%3Eendswith%3C%2FFONT%3E%20'%20%2Fdomain')%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Eextend%3C%2FFONT%3E%20Target%20%3D%20%3CFONT%20color%3D%22%23FF6600%22%3Eextract%3C%2FFONT%3E(%3CFONT%20color%3D%22%23993300%22%3E%22(%3Fi)%5Buser%7Cgroup%5D%20(%5C%22*%5Ba-zA-Z0-9-_%20%5D%2B%5C%22*)%22%3C%2FFONT%3E%2C%201%2C%20ProcessCommandLine)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Efilter%3C%2FFONT%3E%20Target%26nbsp%3B%20!%3D%20%3CFONT%20color%3D%22%23993300%22%3E''%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Eproject%3C%2FFONT%3E%20AccountName%2C%20Target%2C%20ProcessCommandLine%2C%20ComputerName%2C%20EventTime%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Esort%20%3C%2FFONT%3E%3CFONT%20color%3D%22%233366FF%22%3Eby%3C%2FFONT%3E%20AccountName%2C%20Target%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3ESticky%20key%3C%2FFONT%3E%20attacks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EBackground%3C%2FSTRONG%3E%3A%20The%20sticky%20key%20accessibility%20program%20(sethc.exe)%20is%20often%20used%20to%20launch%20attacks%20because%20it%20can%20be%20launched%20without%20signing%20in%20to%20Windows.%20Attackers%20often%20replace%20this%20accessibility%20program%20with%20more%20powerful%20applications%20like%20cmd.exe%20to%20perform%20more%20complex%20tasks.%20For%20more%20information%20about%20sticky%20key%20attacks%2C%20read%20%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Fwiki%2FTechnique%2FT1015%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20by%20the%20%3CFONT%20color%3D%22%233366FF%22%3EMITRE%20ATT%26amp%3BCK%E2%84%A2%3C%2FFONT%3E%20team.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%20goal%3A%20%3C%2FSTRONG%3EThis%20query%20looks%20for%20attempts%20to%20launch%20cmd.exe%20in%20place%20of%20accessibility%20programs.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EQuery%3A%20%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3Elet%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23333399%22%3EPrevalentCmdExeHash%3C%2FFONT%3E%20%3D%3C%2FP%3E%0A%3CP%3EProcessCreationEvents%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20EventTime%20%26gt%3B%20ago(14d)%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20FileName%20%3D~%20%3CFONT%20color%3D%22%23993300%22%3E'cmd.exe'%3C%2FFONT%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Esummarize%3C%2FFONT%3E%20count(ComputerName)%20%3CFONT%20color%3D%22%233366FF%22%3Eby%3C%2FFONT%3E%20SHA1%3C%2FP%3E%0A%3CP%3E%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20count_ComputerName%20%26gt%3B%201000%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23333399%22%3EPrevalentCmdExeHash%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%7C%20join%20%3CFONT%20color%3D%22%233366FF%22%3Ekind%3Dinner%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BProcessCreationEvents%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Eproject%3C%2FFONT%3E%20EventTime%2C%20ComputerName%2C%20ProcessCommandLine%2C%20FileName%2C%20SHA1%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20EventTime%20%26gt%3B%20ago(7d)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%20%3CFONT%20color%3D%22%23FF6600%22%3Ewhere%3C%2FFONT%3E%20FileName%20in~%20(%3CFONT%20color%3D%22%23993300%22%3E%22utilman.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22osk.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22magnify.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22narrator.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22displayswitch.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22atbroker.exe%22%3C%2FFONT%3E%2C%3CFONT%20color%3D%22%23993300%22%3E%22sethc.exe%22%3C%2FFONT%3E)%3C%2FP%3E%0A%3CP%3E)%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3Eon%3C%2FFONT%3E%20SHA1%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20enjoyed%20using%20these%20examples%2C%20check%20out%20the%20default%20saved%20queries%20available%20on%20the%20Advanced%20Hunting%20page.%20Let%20us%20know%20what%20you%20think%20through%20the%20feedback%20system%20on%20the%20menu%20(click%20the%20smiley%20icon)%20or%20join%20the%20community%20in%20building%20powerful%20queries%20using%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20Advanced%20Hunting%20GitHub%20repository.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%20Defender%20ATP%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-173202%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Sep 16 2020 09:50 AM
Updated by: