Windows Defender ATP

Windows Defender ATP#

Microsoft Defender Advanced Threat Protection is the platform enterprise networks lean on to prevent, detect, investigate, and respond to advanced threats. The handbook entry is a hunt-query library, Kusto Query Language patterns the operator (or their defender counterpart) drops into the portal to surface specific behaviors.

The page is dense; every query follows the same pattern, narrow by EventTime, filter on ProcessCommandLine or FileName, summarize by host and account, project the fields that matter.

Hunt queries#

Possible RDP tunnel, processes whose command line touches :3389 or :6511 in the last 10 days.

ProcessCreationEvents
| where EventTime > ago(10d)
| where (ProcessCommandLine contains ":3389" or ProcessCommandLine contains ":6511")
| project EventTime, ComputerName, AccountName, InitiatingProcessFileName, ActionType, FileName, ProcessCommandLine, InitiatingProcessCommandLine

Allow RDP connection via SC CONFIG against the Terminal Server service.

ProcessCreationEvents
| where EventTime > ago(7d)
| where (ProcessCommandLine contains "SC CONFIG" and ProcessCommandLine contains "DISABLED" and ProcessCommandLine contains "wuauserv")
or (ProcessCommandLine contains "Terminal Serve" and ProcessCommandLine contains "fDenyTSConnections" and ProcessCommandLine contains "0x0")

INF file echo creation / execution.

ProcessCreationEvents
| where EventTime > ago(17d)
| where ProcessCommandLine contains "echo" and ProcessCommandLine contains ".inf"

Account creation, net user ... /add.

ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net user" and ProcessCommandLine contains "/add"

Local account activation, Administrator or guest /active:yes.

ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "Administrator /active:yes" or ProcessCommandLine contains "guest /active:yes"

User added to Remote Desktop Users or administrators local group.

ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "localgroup" and ProcessCommandLine contains "/add" and (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "administrators")

Service creation via secedit.exe /export /cfg.

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName contains "SECEDIT"
| where ProcessCommandLine == @"secedit.exe /export /cfg ** .inf"

Alert events. Common alert pivot queries hit AlertEvents and summarize by FileName, Category, Severity, and ComputerName.

AlertEvents
| where EventTime > ago(7d)
| summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset(Category), dcount(Category) by Title
| sort by dcount_ComputerName desc

WDAVDetection in MiscEvents, alerts produced by Windows Defender.

MiscEvents
| where EventTime > ago(17d)
| where ActionType == "WDAVDetection"

Clearing event log activity, call ClearEventlog in command line or initiating process.

ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains "call ClearEventlog" or InitiatingProcessCommandLine contains "call ClearEventlog"

Remote share mounting, \\c$, \\admin$, or \\ipc$ in command line.

ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net.exe"
| where ProcessCommandLine contains "\\c$" or ProcessCommandLine contains "\\admin$" or ProcessCommandLine contains "\\ipc$"

IMPACKET artifact search, 127.0.0.1\ADMIN$ and 2>&1 in command line.

ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains "127.0.0.1\\ADMIN$\\" and ProcessCommandLine contains "2>&1"

Process dump activity, -accepteula together with -ma or 1>.

ProcessCreationEvents
| where EventTime > ago(10d)
| where (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "1>") or (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "-ma")

Network activity by cscript / wscript and PowerShell.

NetworkCommunicationEvents
| where EventTime > ago(7d)
| where InitiatingProcessFileName in ("cscript.exe", "wscript.exe")

NetworkCommunicationEvents
| where EventTime > ago(1d)
| where InitiatingProcessFileName =~ "powershell.exe"

BitsAdmin execution and /transfer.

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName contains "bitsadmin.exe"
| where ProcessCommandLine contains "/TRANSFER" or ProcessCommandLine contains "/CREATE" or ProcessCommandLine contains "/ADDFILE"

LoLbin certutil decode (suspicious -decode ... \\AppData\\).

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine contains "-decode" and ProcessCommandLine contains "\\AppData\\"

MS Office abuse indicators, winword / excel / powerpnt spawning cscript / wscript / powershell.

ProcessCreationEvents
| where EventTime > ago(1d)
| where InitiatingProcessParentName contains "winword.exe" or InitiatingProcessParentName contains "excel.exe" or InitiatingProcessParentName contains "powerpnt.exe"
| where FileName contains "cscript" or FileName contains "wscript" or FileName contains "powershell"

LoLbin rundll32 activity, register server, HTA remote, roaming profile.

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains ",Control_RunDLL"

| where ProcessCommandLine contains "DllRegisterServer"

| where ProcessCommandLine contains "mshtml,RunHTMLApplication"

| where ProcessCommandLine contains "\\roaming\\"

at.exe process execution, WMIC process call create, wscript running .js, wscript creating .zip or .rar.

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "at.exe"

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "WMIC.exe"
| where ProcessCommandLine contains "process call create"

ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js"

Uncoder#

Uncoder.io translates queries between SIEM dialects (Sigma, ArcSight, Azure Sentinel, Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP, Windows PowerShell, X-Pack Watcher). Useful for porting a hunt from Splunk to Defender ATP without manually rewriting.

References#