Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

User Profile

genckelmendi

Copper Contributor

Joined 3 years ago

5 Posts1 Like1 Solution

View All Badges

User Widgets

Recent Discussions

Re: Advanced hunting that queries VirusTotal detections
Thank you cyb3rmik3 , likewise I still haven't found a way around this. By dynamic, you mean that MDATP requests detection ratio from VT each time it loads process tree?
May 17, 2023 Place Microsoft Defender XDR
3KViews
0likes
1Comment
Re: Advanced hunting that queries VirusTotal detections
Nobody knows?
May 12, 2023 Place Microsoft Defender XDR
3KViews
0likes
3Comments
Advanced hunting that queries VirusTotal detections
MDATP supports VirusTotal detection ratio for most executions. But how to query VirusTotal details using advanced hunting? For example, DeviceProcessEvents | where VirusTotalDetections > 5 How to extract and translate the "VirusTotal detection ratio" parameter from execution GUI tree to advanced hunting query? Thank you.
Apr 09, 2023 Place Microsoft Defender XDR
threat hunting
3.3KViews
0likes
4Comments
Re: Executables created and executed within a short time - Microsoft Defender ATP Query
genckelmendi Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.). Created and executed PE within 5 minutes in the last 3 days DeviceFileEvents | where Timestamp > ago(72h) | where ActionType == "FileCreated" or ActionType == "FileRenamed" | where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif" | join kind=inner (DeviceProcessEvents) on DeviceId | where Timestamp1 > ago(72h) | where FolderPath == FolderPath1 | where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe" | where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m) | extend Difference = Timestamp1 - Timestamp | project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561 | project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash | order by Created desc Created and executed Script within 5 minutes in the last 3 days DeviceFileEvents | where Timestamp > ago(72h) | where ActionType == "FileCreated" or ActionType == "FileRenamed" | where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat" or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe" or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf" or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1" or FileName endswith ".psm1" or FileName endswith ".psd1" | join kind=inner (DeviceProcessEvents) on DeviceId | where Timestamp1 > ago(72h) | where ProcessCommandLine contains FileName | where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe" | where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m) | extend Difference = Timestamp1 - Timestamp | project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256 | project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash | order by Created desc
Mar 11, 2023 Place Microsoft Defender XDR
2.7KViews
1like
1Comment
Executables created and executed within a short time - Microsoft Defender ATP Query
I am trying to come up with an advanced hunting query in Defender ATP, that finds created files ending with .bat and .exe, and then searches for processes events on the same device no later than 30 minutes from the creation time of the .bat/.exe file, that contain the created filename in Process CommandLine, OR that created filename is equal to Process FileName. Examples. A setup.exe is downloaded and executed after 7 minutes (Process FileName is equal to Created FileName and the time window between these events is less than 30 minutes.) Alternatively, a setup.bat is downloaded and executed after 29 minutes, cmd.exe will be launched with the parameter /c "C:\Users\username\Downloads\setup.bat" - setup.bat is a substring (contained) within the Process CommandLine, and the interval between these events are less then 30 minutes. Any help greatly appreciated. Thank you.
Solved
Mar 10, 2023 Place Microsoft Defender XDR
threat hunting
2.9KViews
0likes
2Comments

Groups

Recent Blog Articles

No content to show