https://www.verboon.info/tags/advanced-hunting/Recent content in Advanced-Hunting on Anything About ITHugoen-usWed, 25 Aug 2021 15:21:28 +0000https://www.verboon.info/2021/08/use-advanced-hunting-to-identify-defender-clients-with-outdated-definitions/Wed, 25 Aug 2021 15:21:28 +0000https://www.verboon.info/2021/08/use-advanced-hunting-to-identify-defender-clients-with-outdated-definitions/<p>In an ideal world all of our devices are fully patched and the Microsoft Defender antivirus agent has the latest definition updates installed. Unfortunately reality is often different. When using Microsoft Endpoint Manager we can find devices with outdated definition updates through the Microsoft Endpoint Manager portal as shown in the example below.</p> <p> <img src="images/082521_1519_Useadvanced2.png" alt=""> </p> <p>Now in my opinion it must be the IT infrastructure operations team&rsquo;s responsibility to ensure that devices get their patches installed and Defender gets its platform and definition updates. But sometimes the reason for devices not getting updates is because the platform used to manage the deployment of these updates might have an issue, be on the backend or client side.</p>https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes/Sun, 06 Sep 2020 08:22:11 +0000https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes/<p>Hello there,</p> <p>A couple of days ago, someone in a forum asked whether it would be possible to detect changes to the local administrator&rsquo;s group using Microsoft Defender Advanced Threat protection. Before I continue why would you want to monitor such changes? Well here is what comes to my mind:</p> <ul> <li>An attacker tries to maintain persistence, creates an account, and adds it to the local administrator&rsquo;s group. <a href="#">T1136.001 - Create Account: Local Account</a></li> <li>A user obtained a LAPS password and misuses the temporary permission to add their own account to the local administrative group</li> <li>Local IT support works on fixing an issue, adds the user to the local administrator&rsquo;s group, but forgets to remove the account after the issue is being resolved</li> <li>In the days of COVID19, IT sometimes is in a rush and does anything to enable their users to work, a user is quickly added to the local administrators or remote desktop users group to enable them to use Remote Desktop Services (RDP)</li> </ul> <p>Now the good news is, yes changes to local groups can be detected. As you can see from the screenshot below Microsoft Defender ATP exposes <strong>UserAccountAddedToLocalGroup</strong> ActionType in the <a href="#">DeviceEvents</a> table.</p>https://www.verboon.info/2019/10/microsoft-defender-atp-advanced-hunting-whos-logging-on-with-local-admin-rights/Tue, 29 Oct 2019 16:00:07 +0000https://www.verboon.info/2019/10/microsoft-defender-atp-advanced-hunting-whos-logging-on-with-local-admin-rights/<p><strong>Note</strong>: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names</p> <p>If you&rsquo;re among those administrators that use Microsoft Defender Advanced Threat Protection, here&rsquo;s a handy tip how to find out who&rsquo;s logging on with local administrators&rsquo; rights. But first when would you want to run this? Well here are some scenarios I can think of:</p> <ul> <li> <p>You want to find users that have local administrator rights on their devices.</p>