Hunting for Local Group Membership changes

Hello there, A couple of days ago, someone in a forum asked whether it would be possible to detect changes to the local administrator’s group using Microsoft Defender Advanced Threat protection. Before I continue why would you want to monitor such changes? Well here is what comes to my mind: An attacker tries to maintain persistence, creates an account, and adds it to the local administrator’s group. T1136.001 – Create Account: Local Account A user Read More …

Generating Advanced hunting queries with PowerShell

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below Read More …

Defender ATP Advanced hunting with TI from URLhaus

Hello everyone, in today’s article we are going to take look at how we can use Threat Intelligence (TI) data from URLhaus with Microsoft Defender ATP advanced hunting. URLhaus URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. https://urlhaus.abuse.ch/ The project provides several ways to find and retrieve information about malware URLs. You can browse the URL database interactively through https://urlhaus.abuse.ch/browse/ You can also Read More …

Managing Time Zone and Date formats in Microsoft Defender Security Center

When you receive security alerts or are investigating security related events , the aspect of time is important element. By default, date and time is displayed in Coordinated Universal Time (UTC) within the Microsoft Defender security center portal. In todays’ blog post, I want to provide you with some insights and tips how to manage Timezone and the date time format within the Microsoft Defender security center. Time zones You can use the Time zone Read More …

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge base of adversary tactics and techniques based on real-world observations. To familiarize myself with MITRE ATT&CK, I first started reading through all the tactics and techniques, to be honest while reading, I often couldn’t resists Read More …

How to generate a monthly Defender ATP Threat and Vulnerability Report

Update 11 January 2020 – Microsoft has updated the Advanced Hunting Schema, so ComputerName is now DeviceName in the queries. Just recently Microsoft announced that the Defender ATP advanced hunting schema was extended with the following tables: DeviceTvmSoftwareInventoryVulnerabilities DeviceTvmSoftwareVulnerabilitiesKB DeviceTvmSecureConfigurationAssessment DeviceTvmSecureConfigurationAssessmentKB This allows us to run advanced hunting queries to find and extract Defender ATP TVM data. View the code on Gist. Now the people in your organization who are responsible for threat and vulnerability Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of: You want to find users that have local administrator rights Read More …