Written By Josh Harrimen And Presented By Chuck Leaver
Following on from our current partnership statement with Microsoft, our Ziften Security Research group has actually started leveraging a very great part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching feature lets users run queries against the information that has actually been sent by products and tools, for example Ziften, to discover intriguing habits quickly. These inquiries can be kept and shared among the user base of Windows Defender ATP users.
We have actually included a handful of shared inquiries up until now, however the outcomes are rather interesting, and we like the ease of use of the searching interface. Given that Ziften sends out endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those OS in our inquiry advancement efforts to showcase the complete coverage of the platform.
You can access the Advanced Hunting interface by selecting the database icon on the left hand side as shown below.
You can observe the high-level schema on the top left of that page with occasions such as ProcessCreation, Machineinfo, NetworkCommunication and some others. We ran some current malware within our Redlab and created some queries to find that data and create the results for examination. An example of this was OceanLotus. We developed a few queries to find both the dropper and files associated with this threat.
After running the inquiries, you get results with which you can interact with.
Upon inspection of the outcomes, we see some systems that have exhibited the searched for behavior. When you choose these systems, you can view the information of the particular system in question. From there you can view alerts activated and an event timeline. Details from the malicious process are revealed in the image below.
Extra behavior-based queries can also be run. For instance, we carried out another harmful sample which leveraged a few strategies that we queried. The screenshot directly below reveals an inquiry we ran when searching for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is certainly something you would wish to know is occurring within your environment.
From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.
This blog post definitely doesn’t act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our excitement about how simple it is to utilize this feature to conduct your very own custom-made danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.
We eagerly anticipate sharing more of our experiments and research studies utilizing queries constructed using the Advanced Searching feature. We share our successes with everybody here, so stay tuned.