Share Your Hunting Challenges!

%3CLINGO-SUB%20id%3D%22lingo-sub-1567334%22%20slang%3D%22en-US%22%3EShare%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567334%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20world!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3Band%20I%20would%20love%20your%20input%20on%20anything%20you%20would%20like%20demo'ed%20in%20future%20webcasts!%20Want%20to%20see%20us%20demonstrate%20a%20specific%20hunting%20capability%3F%20Got%20a%20query%20challenge%20on%20your%20mind%3F%20Reply%20with%20your%20idea%20or%20like%20a%20reply%20from%20the%20community%20-%20we'll%20pick%20some%20of%20the%20popular%20ideas%20and%20put%20together%20future%20webcasts%20on%20the%20topics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20if%20you%20are%20looking%20for%20a%20great%20introduction%20to%20advanced%20hunting%20in%20MTP%20and%20KQL%2C%20be%20sure%20to%20check%20out%20our%20four%20part%20series%20Tracking%20the%20Adversary%20at%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecuritywebinars%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fsecuritywebinars%3C%2FA%3E%2C%20or%20download%20the%20query%20files%20to%20practice%20on%20your%20own%20MTP%20instance%20at%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FTrackingTheAdversary%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FTrackingTheAdversary%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20hunting!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1567614%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20might%20be%20a%20bit%20out%20of%20topic%20but%20it%20is%20still%20about%20hunting.%3C%2FP%3E%3CP%3ENormally%20for%20suspicious%20and%20unknown%20files%2C%20we%20are%20send%20them%20to%20Microsoft%20Anti-Malware%20team%20and%20VirusTotals.%3C%2FP%3E%3CP%3ESometimes%2C%20I%20will%20use%20Process%20Explorer%20and%20Process%20Monitor%20to%20do%20some%20investigation%20on%20infected%20PC.%3C%2FP%3E%3CP%3EAs%20you%20may%20know%2C%20we%20normally%20have%20malware%20research%20lab%20in%20our%20company%20and%20sometimes%20we%20play%20around%20with%20VM%20and%20Windows%20Sandbox%20but%20at%20the%20end%20of%20the%20day%2C%20we%20have%20to%20wait%20for%20response%20from%20Microsoft%20Anti-Malware%20team.%3C%2FP%3E%3CP%3EIt%20would%20be%20nice%20to%20discuss%20about%20ways%20we%20could%20investigate%20malware%20internally%20and%20protecting%20our%20system%20while%20we%20are%20waiting%20for%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578025%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578025%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETracking%20the%20Adversary%20series%20was%20just%20awesome%2C%20thanks%20for%20sharing%20this%20level%20of%20knowledge%20for%20free!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20detect%20when%20a%20user%20starts%20to%20use%20a%20new%20application%2Fprocess.%20The%20scenario%20is%20like%20below%3A%3C%2FP%3E%3CP%3EA%20user%20uses%20normal%20applications%20like%20excel%2C%20word%2C%20etc.%20daily.%20Then%2C%20the%20same%20user%20suddenly%20starts%20using%20a%20new%20application%2Ftool%20on%20day%20X.%20He%2Fshe%20uses%20the%20application%20during%20that%20day%20several%20times%2C%20and%20stops%20using%20it.%26nbsp%3B%20There%20are%20also%20other%20users%20using%20the%20same%20application%2Ftool%20but%20those%20users%20use%20it%20daily%20as%20it's%20their%20job.%20I%20have%20no%20information%20about%20any%20of%20the%20users%20and%20the%20application%2Ftool%20itself.%20When%20I%20try%20to%20hunt%20for%20this%20scenario%2C%20I%20get%20resource%20usage%20error%20or%20the%20query%20just%20gets%20stopped%20because%20of%20high%20cpu%20usage.%20Maybe%20you%20want%20to%20cover%20this%20%22rare%20process%20seen%20on%20an%20endpoint%22%20scneario.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581245%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581245%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20topics%20so%20far!%20Keep%20them%20coming.%26nbsp%3B%20If%20something%20you'd%20like%20to%20see%20exists%20already%20please%20like%20it%2C%20if%20not%20feel%20free%20to%20add%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1606668%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1606668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20one%20of%20the%20greatest%20challenge%20to%20industry%20is%20Ransomwares.%20We%20might%20use%20Controlled%20folder%20access%20where%20is%20very%20effective%20to%20protect%20our%20system%20and%20use%20defense%20in%20depth%20strategy%20but%20the%20worse%20case%20is%20when%20user%20is%20infected%20and%20they%20lose%20their%20data%20and%20they%26nbsp%3B%3CSTRONG%3Edon't%3C%2FSTRONG%3E%20have%20any%20backup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1679235%22%20slang%3D%22en-US%22%3ERE%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1679235%22%20slang%3D%22en-US%22%3EHello%2C%20I%20need%20to%20know%20how%20to%20find%20the%20Patch%20IDs%20associated%20w%2F%20a%20CVE%3F%20I%20often%20find%20myself%20trying%20to%20find%20out%20if%20certain%20patches%20have%20been%20deployed%20but%20am%20only%20given%20a%20CVE-xxxx-xxxx%20as%20my%20reference%20point%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1679391%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1679391%22%20slang%3D%22en-US%22%3EIt%20would%20be%20great%20if%20you%20could%20cover%20how%20to%20use%20Machine%20Learning%20functions%20in%20MDATP%2FMTP%20for%20hunting.%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hello world! @Tali Ash and I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics.

 

Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary at http://aka.ms/securitywebinars, or download the query files to practice on your own MTP instance at https://aka.ms/TrackingTheAdversary

 

Happy hunting!

 

 

6 Replies
Highlighted

@MichaelJMelone 

It might be a bit out of topic but it is still about hunting.

Normally for suspicious and unknown files, we are send them to Microsoft Anti-Malware team and VirusTotals.

Sometimes, I will use Process Explorer and Process Monitor to do some investigation on infected PC.

As you may know, we normally don't have malware research lab in our company and sometimes we play around with VM and Windows Sandbox but at the end of the day, we have to wait for response from Microsoft Anti-Malware team.

It would be nice to discuss about ways we could investigate malware internally and protecting our system while we are waiting for patch.

Highlighted

@MichaelJMelone 

 

Tracking the Adversary series was just awesome, thanks for sharing this level of knowledge for free!

 

I want to detect when a user starts to use a new application/process. The scenario is like below:

A user uses normal applications like excel, word, etc. daily. Then, the same user suddenly starts using a new application/tool on day X. He/she uses the application during that day several times, and stops using it.  There are also other users using the same application/tool but those users use it daily as it's their job. I have no information about any of the users and the application/tool itself. When I try to hunt for this scenario, I get resource usage error or the query just gets stopped because of high cpu usage. Maybe you want to cover this "rare process seen on an endpoint" scneario. 

Highlighted

Great topics so far! Keep them coming.  If something you'd like to see exists already please like it, if not feel free to add it.

Highlighted

@MichaelJMelone 

I believe one of the greatest challenge to industry is Ransomwares. We might use Controlled folder access where is very effective to protect our system and use defense in depth strategy but the worse case is when user is infected and they lose their data and they don't have any backup.

Highlighted
Hello, I need to know how to find the Patch IDs associated w/ a CVE? I often find myself trying to find out if certain patches have been deployed but am only given a CVE-xxxx-xxxx as my reference point?
Highlighted
It would be great if you could cover how to use Machine Learning functions in MDATP/MTP for hunting.