Chuck Leaver – Here Is How You Hunt Using Windows Defender ATP

Written By Josh Harrimen And Presented By Chuck Leaver


Following on the heels of our current partnership announcement with Microsoft, our Ziften Security Research team has actually started leveraging an extremely cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run queries against the information that has been sent by solutions and tools, for example Ziften, to find intriguing behaviors quickly. These queries can be saved and shared amongst the community of Windows Defender ATP users.

We have added a handful of shared queries up until now, but the outcomes are rather fascinating, and we enjoy the ease of use of the hunting interface. Since Ziften sends endpoint data collected from Linux and macOS systems to Windows Defender ATP, we are focusing on those OS in our inquiry advancement efforts to display the complete protection of the platform.

You can access the Advanced Searching user interface by choosing the database icon on the left hand side as revealed below.

You can observe the high-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some recent malware within our Redlab and developed some queries to find that data and create the outcomes for investigation. One such sample was OceanLotus. We developed a couple of queries to find both the files and dropper connected with this threat.

After running the queries, you get results with which you can connect with.

Upon assessment of the results, we see some systems that have actually exhibited the searched for behavior. When you select these systems, you can view the details of the particular system in question. From there you can view signals activated and an event timeline. Details from the malicious process are shown below.

Extra behavior based queries can likewise be run. For example, we performed another harmful sample which leveraged a few strategies that we queried. The screenshot directly below shows an inquiry we ran when looking for the Gatekeeper program on a macOS which was disabled from the command line. While this action may be an administrative action, it is certainly something you would wish to know is taking place within your environment.

From these query results, you can once again select the system under examination and continue to examine the suspicious behaviors.

This blog post certainly doesn’t act as an in-depth tutorial on using the Advanced Hunting feature within the Windows Defender Advanced Threat Protection platform. But we wanted to put something together quickly to share our excitement about how simple it is to utilize this feature to conduct your own customized danger hunting in a multi-system environment, and throughout Linux, Windows and macOS systems.

We look forward to sharing more of our experimentation and research utilizing inquiries built utilizing the Advanced Searching feature. We share our successes with everybody here, so stay tuned.