Charles Leaver – How To Do Advanced Hunting With Windows Defender ATP

Written By Josh Harrimen And Presented By Charles Leaver


Following on the heels of our recent collaboration statement with Microsoft, our Ziften Security Research team has actually started leveraging a very fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching function lets users run inquiries against the data that has actually been sent out by products and tools, such as Ziften, to find interesting behaviors quickly. These queries can be saved and shared among the community of Windows Defender ATP users.

We have included a handful of shared inquiries so far, however the results are rather intriguing, and we enjoy the ease of use of the searching interface. Because Ziften sends endpoint data gathered from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total protection of the platform.

You can access the Advanced Hunting interface by choosing the database icon on the left-hand side as revealed below.

You can observe the high-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and produced some inquiries to discover that data and produce the outcomes for examination. One such sample was OceanLotus. We developed a small number of inquiries to find both the files and dropper related to this danger.

After running the inquiries, you get results with which you can connect with.

Upon assessment of the outcomes, we see some systems that have actually shown the looked for behavior. When you choose these systems, you can see the information of the system under examination. From there you can view signals activated and an event timeline. Information from the harmful procedure are revealed below.

Additional behavior based queries can likewise be run. For instance, we carried out another destructive sample which leveraged a few strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS being disabled from the command line. While this action may be an administrative action, it is certainly something you would wish to know is happening within your environment.

From these query results, you can again select the system in question and further investigate the suspicious habits.

This article certainly doesn’t function as a thorough tutorial on utilizing the Advanced Hunting feature within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to utilize this function to perform your own customized danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experimentation and research studies utilizing queries constructed utilizing the Advanced Hunting function. We share our successes with everyone here, so check out this blog often.

Leave a Reply

Your email address will not be published. Required fields are marked *