threat hunting
102 TopicsHow does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves. All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data. My questions are: Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres? How do I find out whether such a change has been made? Is there an alert already configured in Defender to detect such a change? If not, does anyone know how to set one up, e.g., KQL and a custom detection? I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.16Views0likes1CommentWhitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN31Views0likes0CommentsMonitoring copied files on External drive - USB
Hello Guys, i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB. Some one have the procedure or documentation ? NOTE : Defender timeline could see when a user is plugging a USB stick. but that's... Thanks !Solved11KViews0likes2CommentsFind the file creation time/date in Microsoft 365 Defender Alerts for blocked software
In the portal it tells you the SHA1 hash and the path of the file(s) in question but does not indicate when the file was created. This file in particular was found during a routine scan and I would like to know when the file was created for creating a timeline for hunting. Any assistance on this would be appreciated.1.4KViews0likes5CommentsThreat hunting help
I'm hoping someone can help me here. I'm using the below very common queries to find USB activity. It finds FildCreated, FileModified, FileRenamed and FileDeleted. What I don't seem to able to find is file reads. i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB. Anyone know how to find a file read from USB? let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices. let TimespanInSeconds = 900; // Period of time between device insertion and file copy let Connections = DeviceEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected" | extend parsed = parse_json(AdditionalFields) | project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds) | where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'; DeviceFileEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\" | join kind=inner Connections on DeviceId | where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds249Views0likes1CommentAdvance Hunting - SCID
Hi, Where can I find a reference sheet/document for the SCID's used in below query. I have searched pretty much everywhere but haven't been able find anything on this. It would be great if someone can please direct me towards any info or anywhere I can find it. Cheers! / Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId, OSPlatform | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName, OSPlatform | evaluate bag_unpack(Tests)15KViews1like2CommentsXDR deception - decoy working - lures not deploying
Hi everyone, i am trying to create some custom deceptions with the help of this blog post: Stack Your Deception: Stacking MDE Deception Rules with Thinkst Canarytokens ยท Attack the SOC The decoys are working (if i ping a host i specified - alerts are raised). But i cannot find the lures. I created some special lures for high privilege personas and placed them into {HOME}\ and a filepath beneath that. But i cannot find the files (show hidden is on). Are the folders also created by deception? It's 5 days now - so time should also not be the problem. How to troubleshoot? BR Stephan430Views0likes4CommentsIdentityLogonEvents table Roadmap
Is there a roadmap for this: consolidate all sign-in schema information into the IdentityLogonEvents table. This is with respect to AADSignInEventsBeta & AADSpnSignInEventsBeta being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. AADSpnSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn AADSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn365Views1like1CommentIncidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.184Views0likes0Comments