Windows Defender ATP#
Microsoft Defender Advanced Threat Protection is the platform enterprise networks lean on to prevent, detect, investigate, and respond to advanced threats. The handbook entry is a hunt-query library, Kusto Query Language patterns the operator (or their defender counterpart) drops into the portal to surface specific behaviors.
The page is dense; every query follows the same pattern, narrow by
EventTime, filter on ProcessCommandLine or FileName,
summarize by host and account, project the fields that matter.
Hunt queries#
Possible RDP tunnel, processes whose command line touches :3389 or
:6511 in the last 10 days.
ProcessCreationEvents
| where EventTime > ago(10d)
| where (ProcessCommandLine contains ":3389" or ProcessCommandLine contains ":6511")
| project EventTime, ComputerName, AccountName, InitiatingProcessFileName, ActionType, FileName, ProcessCommandLine, InitiatingProcessCommandLine
Allow RDP connection via SC CONFIG against the Terminal Server service.
ProcessCreationEvents
| where EventTime > ago(7d)
| where (ProcessCommandLine contains "SC CONFIG" and ProcessCommandLine contains "DISABLED" and ProcessCommandLine contains "wuauserv")
or (ProcessCommandLine contains "Terminal Serve" and ProcessCommandLine contains "fDenyTSConnections" and ProcessCommandLine contains "0x0")
INF file echo creation / execution.
ProcessCreationEvents
| where EventTime > ago(17d)
| where ProcessCommandLine contains "echo" and ProcessCommandLine contains ".inf"
Account creation, net user ... /add.
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net user" and ProcessCommandLine contains "/add"
Local account activation, Administrator or guest /active:yes.
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "Administrator /active:yes" or ProcessCommandLine contains "guest /active:yes"
User added to Remote Desktop Users or administrators local group.
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "localgroup" and ProcessCommandLine contains "/add" and (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "administrators")
Service creation via secedit.exe /export /cfg.
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName contains "SECEDIT"
| where ProcessCommandLine == @"secedit.exe /export /cfg ** .inf"
Alert events. Common alert pivot queries hit AlertEvents and
summarize by FileName, Category, Severity, and
ComputerName.
AlertEvents
| where EventTime > ago(7d)
| summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset(Category), dcount(Category) by Title
| sort by dcount_ComputerName desc
WDAVDetection in MiscEvents, alerts produced by Windows Defender.
MiscEvents
| where EventTime > ago(17d)
| where ActionType == "WDAVDetection"
Clearing event log activity, call ClearEventlog in command line or
initiating process.
ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains "call ClearEventlog" or InitiatingProcessCommandLine contains "call ClearEventlog"
Remote share mounting, \\c$, \\admin$, or \\ipc$ in
command line.
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net.exe"
| where ProcessCommandLine contains "\\c$" or ProcessCommandLine contains "\\admin$" or ProcessCommandLine contains "\\ipc$"
IMPACKET artifact search, 127.0.0.1\ADMIN$ and 2>&1 in command
line.
ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains "127.0.0.1\\ADMIN$\\" and ProcessCommandLine contains "2>&1"
Process dump activity, -accepteula together with -ma or 1>.
ProcessCreationEvents
| where EventTime > ago(10d)
| where (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "1>") or (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "-ma")
Network activity by cscript / wscript and PowerShell.
NetworkCommunicationEvents
| where EventTime > ago(7d)
| where InitiatingProcessFileName in ("cscript.exe", "wscript.exe")
NetworkCommunicationEvents
| where EventTime > ago(1d)
| where InitiatingProcessFileName =~ "powershell.exe"
BitsAdmin execution and /transfer.
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName contains "bitsadmin.exe"
| where ProcessCommandLine contains "/TRANSFER" or ProcessCommandLine contains "/CREATE" or ProcessCommandLine contains "/ADDFILE"
LoLbin certutil decode (suspicious -decode ... \\AppData\\).
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine contains "-decode" and ProcessCommandLine contains "\\AppData\\"
MS Office abuse indicators, winword / excel / powerpnt
spawning cscript / wscript / powershell.
ProcessCreationEvents
| where EventTime > ago(1d)
| where InitiatingProcessParentName contains "winword.exe" or InitiatingProcessParentName contains "excel.exe" or InitiatingProcessParentName contains "powerpnt.exe"
| where FileName contains "cscript" or FileName contains "wscript" or FileName contains "powershell"
LoLbin rundll32 activity, register server, HTA remote, roaming
profile.
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains ",Control_RunDLL"
| where ProcessCommandLine contains "DllRegisterServer"
| where ProcessCommandLine contains "mshtml,RunHTMLApplication"
| where ProcessCommandLine contains "\\roaming\\"
at.exe process execution, WMIC process call create,
wscript running .js, wscript creating .zip or .rar.
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "at.exe"
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "WMIC.exe"
| where ProcessCommandLine contains "process call create"
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js"
Uncoder#
Uncoder.io translates queries between SIEM dialects (Sigma, ArcSight, Azure Sentinel, Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP, Windows PowerShell, X-Pack Watcher). Useful for porting a hunt from Splunk to Defender ATP without manually rewriting.