Chuck Leaver – Using Powerful Hunting In Windows Defender ATP

Written By Josh Harrimen And Presented By Chuck Leaver

 

Following on the heels of our recent partnership announcement with Microsoft, our Ziften Security Research group has actually begun leveraging a very cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) platform from their Security Center. The Advanced Searching feature lets users run queries in line with the information that has actually been sent out by products and tools, for example Ziften, to discover interesting behaviors rapidly. These queries can be kept and shared amongst the user base of Windows Defender ATP users.

We have included a handful of shared inquiries up until now, but the outcomes are rather intriguing, and we like the ease of use of the searching interface. Considering that Ziften sends endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total coverage of the platform.

You can access the Advanced Searching user interface by choosing the database icon on the left hand side as revealed in the image below.

You can observe the top-level schema on the top left of that page with occasions such as Machineinfo, ProcessCreation, NetworkCommunication and some others. We ran some current malware within our Redlab and produced some inquiries to find that data and produce the outcomes for examination. An example of this was OceanLotus. We developed a few queries to discover both the dropper and files connected with this risk.

After running the queries, you get outcomes with which you can interact with.

Upon evaluation of the results, we see some systems that have exhibited the looked for habits. When you pick these systems, you can see the information of the system under examination. From there you can see alerts set off and an event timeline. Information from the destructive process are revealed in the image below.

Additional behavior based queries can likewise be run. For instance, we executed another malicious sample which leveraged a small number of methods that we queried. The screenshot directly below shows an inquiry we ran when looking for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is definitely something you would want to know is taking place within your environment.

From these query outcomes, you can once again choose the system under examination and further examine the suspicious behaviors.

This blog definitely does not work as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to leverage this feature to perform your own custom danger hunting in a multi-system environment, and throughout Windows, macOS and Linux systems.

We look forward to sharing more of our experimentation and research studies using queries built utilizing the Advanced Hunting feature. We share our successes with everybody here, so check out this blog often.

~leaverchuck1


No Responses Yet to “Chuck Leaver – Using Powerful Hunting In Windows Defender ATP”

Leave a Reply