Share Your Hunting Challenges!

%3CLINGO-SUB%20id%3D%22lingo-sub-1567334%22%20slang%3D%22en-US%22%3EShare%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567334%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20world!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3Band%20I%20would%20love%20your%20input%20on%20anything%20you%20would%20like%20demo'ed%20in%20future%20webcasts!%20Want%20to%20see%20us%20demonstrate%20a%20specific%20hunting%20capability%3F%20Got%20a%20query%20challenge%20on%20your%20mind%3F%20Reply%20with%20your%20idea%20or%20like%20a%20reply%20from%20the%20community%20-%20we'll%20pick%20some%20of%20the%20popular%20ideas%20and%20put%20together%20future%20webcasts%20on%20the%20topics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20if%20you%20are%20looking%20for%20a%20great%20introduction%20to%20advanced%20hunting%20in%20MTP%20and%20KQL%2C%20be%20sure%20to%20check%20out%20our%20four%20part%20series%20Tracking%20the%20Adversary%20at%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecuritywebinars%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fsecuritywebinars%3C%2FA%3E%2C%20or%20download%20the%20query%20files%20to%20practice%20on%20your%20own%20MTP%20instance%20at%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FTrackingTheAdversary%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FTrackingTheAdversary%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20hunting!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1567614%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20might%20be%20a%20bit%20out%20of%20topic%20but%20it%20is%20still%20about%20hunting.%3C%2FP%3E%3CP%3ENormally%20for%20suspicious%20and%20unknown%20files%2C%20we%20are%20send%20them%20to%20Microsoft%20Anti-Malware%20team%20and%20VirusTotals.%3C%2FP%3E%3CP%3ESometimes%2C%20I%20will%20use%20Process%20Explorer%20and%20Process%20Monitor%20to%20do%20some%20investigation%20on%20infected%20PC.%3C%2FP%3E%3CP%3EAs%20you%20may%20know%2C%20we%20normally%20have%20malware%20research%20lab%20in%20our%20company%20and%20sometimes%20we%20play%20around%20with%20VM%20and%20Windows%20Sandbox%20but%20at%20the%20end%20of%20the%20day%2C%20we%20have%20to%20wait%20for%20response%20from%20Microsoft%20Anti-Malware%20team.%3C%2FP%3E%3CP%3EIt%20would%20be%20nice%20to%20discuss%20about%20ways%20we%20could%20investigate%20malware%20internally%20and%20protecting%20our%20system%20while%20we%20are%20waiting%20for%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578025%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578025%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETracking%20the%20Adversary%20series%20was%20just%20awesome%2C%20thanks%20for%20sharing%20this%20level%20of%20knowledge%20for%20free!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20detect%20when%20a%20user%20starts%20to%20use%20a%20new%20application%2Fprocess.%20The%20scenario%20is%20like%20below%3A%3C%2FP%3E%3CP%3EA%20user%20uses%20normal%20applications%20like%20excel%2C%20word%2C%20etc.%20daily.%20Then%2C%20the%20same%20user%20suddenly%20starts%20using%20a%20new%20application%2Ftool%20on%20day%20X.%20He%2Fshe%20uses%20the%20application%20during%20that%20day%20several%20times%2C%20and%20stops%20using%20it.%26nbsp%3B%20There%20are%20also%20other%20users%20using%20the%20same%20application%2Ftool%20but%20those%20users%20use%20it%20daily%20as%20it's%20their%20job.%20I%20have%20no%20information%20about%20any%20of%20the%20users%20and%20the%20application%2Ftool%20itself.%20When%20I%20try%20to%20hunt%20for%20this%20scenario%2C%20I%20get%20resource%20usage%20error%20or%20the%20query%20just%20gets%20stopped%20because%20of%20high%20cpu%20usage.%20Maybe%20you%20want%20to%20cover%20this%20%22rare%20process%20seen%20on%20an%20endpoint%22%20scneario.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581245%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581245%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20topics%20so%20far!%20Keep%20them%20coming.%26nbsp%3B%20If%20something%20you'd%20like%20to%20see%20exists%20already%20please%20like%20it%2C%20if%20not%20feel%20free%20to%20add%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1606668%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1606668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20one%20of%20the%20greatest%20challenge%20to%20industry%20is%20Ransomwares.%20We%20might%20use%20Controlled%20folder%20access%20where%20is%20very%20effective%20to%20protect%20our%20system%20and%20use%20defense%20in%20depth%20strategy%20but%20the%20worse%20case%20is%20when%20user%20is%20infected%20and%20they%20lose%20their%20data%20and%20they%26nbsp%3B%3CSTRONG%3Edon't%3C%2FSTRONG%3E%20have%20any%20backup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1679235%22%20slang%3D%22en-US%22%3ERE%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1679235%22%20slang%3D%22en-US%22%3EHello%2C%20I%20need%20to%20know%20how%20to%20find%20the%20Patch%20IDs%20associated%20w%2F%20a%20CVE%3F%20I%20often%20find%20myself%20trying%20to%20find%20out%20if%20certain%20patches%20have%20been%20deployed%20but%20am%20only%20given%20a%20CVE-xxxx-xxxx%20as%20my%20reference%20point%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1679391%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1679391%22%20slang%3D%22en-US%22%3EIt%20would%20be%20great%20if%20you%20could%20cover%20how%20to%20use%20Machine%20Learning%20functions%20in%20MDATP%2FMTP%20for%20hunting.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1777253%22%20slang%3D%22en-US%22%3EUpcoming%20Webcast%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1777253%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20all%20of%20the%20great%20suggestions!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3Band%20I%20are%20excited%20to%20announce%20that%20our%20next%20webcast%20will%20be%20on%20November%2017th.%20Be%20sure%20to%20join%20us%20for%20our%20new%20series%20l33tSpeak%20where%20we%20will%20share%20some%20of%20the%20latest%20Microsoft%20365%20Defender%20Advanced%20Hunting%20capabilities%20and%20provide%20demos%20based%20on%20your%20requests.%20We%20are%20looking%20forward%20to%20seeing%20everyone%20virtually%20again!%20To%20attend%20please%20register%20for%20our%20winter%20series%20of%20webcasts%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUMjY1MERNU0FFUU9MN08yUFhaMUxNRDMxVi4u%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUMjY1MERNU0FFUU9MN08yUFhaMUxNRDMxVi4u%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778791%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3BI've%20been%20playing%20with%20make_series%20fucntion%20and%20detecting%20anomalies.%20I%20have%20a%20situation%20which%20makes%20the%20detection%20quite%20difficult.%20For%20example%2C%20I%20try%20to%20create%20the%20time%20series%20data%20for%20a%20machine.%20The%20machine%20is%20not%20powered%20on%20always%20and%20this%20makes%20my%20time%20series%20data%20having%200%20values%20for%20some%20periods%20(%20let's%20say%20I%20don't%20have%20any%20data%20for%20Monday%20and%20Wednesday%20from%20the%20machine).%20This%20makes%20the%20anomaly%20detection%20with%20series_outliers%20quite%20difficult.%20How%20can%20I%20overcome%20this%3F%20Is%20it%20possible%20to%20exclude%20periods%20not%20having%20any%20data%20from%20the%20analysis%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780643%22%20slang%3D%22en-US%22%3ERE%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780643%22%20slang%3D%22en-US%22%3EGreat%20question!%20This%20can%20definitely%20be%20a%20challenge%2C%20especially%20because%20one%20patch%20may%20be%20superseded%20by%20another.%20The%20best%20official%20source%20would%20be%20the%20National%20Vulnerability%20Database%20(NVD)%20which%20is%20run%20by%20NIST%20(%3CA%20href%3D%22https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fsearch%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fsearch%3C%2FA%3E).%3CBR%20%2F%3EAs%20far%20as%20advanced%20hunting%20goes%2C%20this%20is%20not%20currently%20available%20in%20the%20product%20today%20-%20but%20definitely%20makes%20a%20great%20feature%20request.%20We%20will%20definitely%20keep%20this%20in%20mind!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2107419%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107419%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20you%20be%20willing%20to%20look%20at%20this%20query%20and%20let%20me%20know%20why%20it's%20not%20working%3F%20It%20ran%20once%20but%20now%20it%20has%20an%20unexpected%20error.%20It's%20getting%20an%20error%20in%20the%20line%3A%3C%2FP%3E%3CP%3E%22%7C%20summarize%20NumberofDisstinctLdapQueries%20%3D%20dcount(SearchFilter)%20by%20DeviceName%2C%20bin(Timestamp%2C%20BinTime)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elet%20Threshold%20%3D%2012%3B%3CBR%20%2F%3Elet%20BinTime%20%3D%201m%3B%3C%2FP%3E%3CP%3Elet%20listDC%3DIdentityDirectoryEvents%3CBR%20%2F%3E%7C%20where%20Application%20%3D%3D%22Active%20Directory%22%3CBR%20%2F%3E%7C%20where%20Application%20%3D%3D%20%22Directory%20Service%20replication%22%3CBR%20%2F%3E%7C%20summarize%20by%20DestinationDeviceName%20%3B%3C%2FP%3E%3CP%3EIdentityQueryEvents%3CBR%20%2F%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(30d)%3CBR%20%2F%3E%7C%20where%20DeviceName%20!in%20(%20%22DC%20List%22)%3CBR%20%2F%3E%7C%20where%20ActionType%20%3D%3D%20%22LDAP%20query%22%3CBR%20%2F%3E%7C%20parse%20Query%20with%20*%20%22Search%20Scope%3A%20%22%20SearchScope%20%22%2C%20Base%20Object%3A%22%3CBR%20%2F%3EBaseObject%20%22%2C%20Search%20Filter%3A%20%22%20SearchFilter%3C%2FP%3E%3CP%3E%7C%20summarize%20NumberofDisstinctLdapQueries%20%3D%20dcount(SearchFilter)%20by%20DeviceName%2C%20bin(Timestamp%2C%20BinTime)%3CBR%20%2F%3E%7Cwhere%20NumberofDisstinctLdapQueries%20%26gt%3B%20Threshold%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esource%3A%20MS%20Defender%20Webinar%20Solorigate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2107635%22%20slang%3D%22en-US%22%3ERe%3A%20Share%20Your%20Hunting%20Challenges!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F946635%22%20target%3D%22_blank%22%3E%40Citizen8675309%3C%2FA%3E%26nbsp%3BI%20tried%20this%20out%20in%20my%20lab%20environment%20and%20it%20ran%20without%20issue%20(I%20set%20Threshold%20to%200%20for%20testing)%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MichaelJMelone_0-1611870416141.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250409i176E936FE62120FA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22MichaelJMelone_0-1611870416141.png%22%20alt%3D%22MichaelJMelone_0-1611870416141.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello world! @Tali Ash and I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics.

 

Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary at http://aka.ms/securitywebinars, or download the query files to practice on your own MTP instance at https://aka.ms/TrackingTheAdversary

 

Happy hunting!

 

 

11 Replies

@MichaelJMelone 

It might be a bit out of topic but it is still about hunting.

Normally for suspicious and unknown files, we are send them to Microsoft Anti-Malware team and VirusTotals.

Sometimes, I will use Process Explorer and Process Monitor to do some investigation on infected PC.

As you may know, we normally don't have malware research lab in our company and sometimes we play around with VM and Windows Sandbox but at the end of the day, we have to wait for response from Microsoft Anti-Malware team.

It would be nice to discuss about ways we could investigate malware internally and protecting our system while we are waiting for patch.

@MichaelJMelone 

 

Tracking the Adversary series was just awesome, thanks for sharing this level of knowledge for free!

 

I want to detect when a user starts to use a new application/process. The scenario is like below:

A user uses normal applications like excel, word, etc. daily. Then, the same user suddenly starts using a new application/tool on day X. He/she uses the application during that day several times, and stops using it.  There are also other users using the same application/tool but those users use it daily as it's their job. I have no information about any of the users and the application/tool itself. When I try to hunt for this scenario, I get resource usage error or the query just gets stopped because of high cpu usage. Maybe you want to cover this "rare process seen on an endpoint" scneario. 

Great topics so far! Keep them coming.  If something you'd like to see exists already please like it, if not feel free to add it.

@MichaelJMelone 

I believe one of the greatest challenge to industry is Ransomwares. We might use Controlled folder access where is very effective to protect our system and use defense in depth strategy but the worse case is when user is infected and they lose their data and they don't have any backup.

Hello, I need to know how to find the Patch IDs associated w/ a CVE? I often find myself trying to find out if certain patches have been deployed but am only given a CVE-xxxx-xxxx as my reference point?
It would be great if you could cover how to use Machine Learning functions in MDATP/MTP for hunting.

Thank you for all of the great suggestions! @Tali Ash and I are excited to announce that our next webcast will be on November 17th. Be sure to join us for our new series l33tSpeak where we will share some of the latest Microsoft 365 Defender Advanced Hunting capabilities and provide demos based on your requests. We are looking forward to seeing everyone virtually again! To attend please register for our winter series of webcasts here: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUMjY1... 

@MichaelJMelone I've been playing with make_series fucntion and detecting anomalies. I have a situation which makes the detection quite difficult. For example, I try to create the time series data for a machine. The machine is not powered on always and this makes my time series data having 0 values for some periods ( let's say I don't have any data for Monday and Wednesday from the machine). This makes the anomaly detection with series_outliers quite difficult. How can I overcome this? Is it possible to exclude periods not having any data from the analysis? 

 

Great question! This can definitely be a challenge, especially because one patch may be superseded by another. The best official source would be the National Vulnerability Database (NVD) which is run by NIST (https://nvd.nist.gov/vuln/search).
As far as advanced hunting goes, this is not currently available in the product today - but definitely makes a great feature request. We will definitely keep this in mind!

@MichaelJMelone 

Would you be willing to look at this query and let me know why it's not working? It ran once but now it has an unexpected error. It's getting an error in the line:

"| summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)"

 

let Threshold = 12;
let BinTime = 1m;

let listDC=IdentityDirectoryEvents
| where Application =="Active Directory"
| where Application == "Directory Service replication"
| summarize by DestinationDeviceName ;

IdentityQueryEvents
| where Timestamp > ago(30d)
| where DeviceName !in ( "DC List")
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:"
BaseObject ", Search Filter: " SearchFilter

| summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
|where NumberofDisstinctLdapQueries > Threshold

 

source: MS Defender Webinar Solorigate

@Citizen8675309 I tried this out in my lab environment and it ran without issue (I set Threshold to 0 for testing)

MichaelJMelone_0-1611870416141.png

 

www.000webhost.com