Archives for 

Protect Your Business

Windows Defender ATP Has Powerful Hunting Features – Chuck Leaver

Written By Josh Harrimen And Presented By Chuck Leaver

 

Following on the heels of our current collaboration statement with Microsoft, our Ziften Security Research team has started leveraging an extremely cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run inquiries in line with the information that has actually been sent by products and tools, like Ziften, to discover fascinating behaviors quickly. These queries can be saved and shared amongst the community of Windows Defender ATP users.

We have actually included a handful of shared inquiries so far, however the results are rather intriguing, and we love the ease of use of the searching user interface. Because Ziften sends out endpoint data gathered from macOS and Linux systems to Windows Defender ATP, we are concentrating on those OS in our query advancement efforts to display the total coverage of the platform.

You can access the Advanced Searching interface by choosing the database icon on the left-hand side as revealed in the image below.

You can observe the top-level schema on the top left of that page with events such as Machineinfo, ProcessCreation, NetworkCommunication and some others. We ran some current malware within our Redlab and developed some inquiries to discover that data and create the outcomes for investigation. An example of this was OceanLotus. We created a few queries to find both the dropper and files associated with this danger.

After running the inquiries, you get outcomes with which you can interact with.

Upon evaluation of the outcomes, we see some systems that have shown the searched for habits. When you pick these systems, you can view the information of the system in question. From there you can view notifications set off and an event timeline. Details from the harmful procedure are revealed below.

Extra behavior based inquiries can likewise be run. For instance, we executed another malicious sample which leveraged a few methods that we queried. The screenshot directly below reveals an inquiry we ran when searching for the Gatekeeper program on a macOS being disabled from the command line. While this action may be an administrative action, it is definitely something you would need to know is occurring within your environment.

From these query outcomes, you can once again select the system under examination and continue to investigate the suspicious behaviors.

This blog definitely does not act as an in-depth tutorial on using the Advanced Searching feature within the Windows Defender Advanced Threat Protection platform. But we wanted to put something together rapidly to share our excitement about how easy it is to take advantage of this function to conduct your own custom-made danger searching in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experiments and research utilizing queries constructed using the Advanced Searching feature. We share our successes with everybody here, so look out for future posts.

RSA 2018 Better Than Expected – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver   After investing a couple of days with the Ziften group at the 2018 RSA Conference, my technology observation was: more of the same, the usual suspects and the normal buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were incredibly worn out. Lots of attention […] Continue reading →

Microsoft’s Intelligent Security Association Is Incredible – Chuck Leaver

Written By David Shefter And Presented By Chuck Leaver   It’s a great strategy: Microsoft has actually produced a system for third party security businesses, like Ziften, to cooperate to better secure our clients. Everyone wins with the brand-new Microsoft Intelligent Security Association, announced very recently – and we delighted to be an establishing member […] Continue reading →

Opportunities For You With Ziften’s New Channel Program – Chuck Leaver

Written By Greg McCreight And Presented By Chuck Leaver   If you are a reseller, integrator, distributor, managed service provider – the brand-new Ziften Activate Partner Program is now available, it’s ready to go, and it’s going to be excellent for your profitability (and for lowering your clients’ anxiety about cyber security). Ziften is 100 […] Continue reading →

We Must Work Together In The Security Industry For Everybody’s Sake – Chuck Leaver

Written By Chuck Leaver   Nobody can solve cybersecurity alone. No single product company, no single service provider, nobody can tackle the whole thing. To take on security needs cooperation between various companies. Often, those players are at various levels of the service stack – some install on endpoints, some within applications, others within network […] Continue reading →

Protect Yourself From Spectre And Meltdown With Ziften’s Help – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver   Ziften understands the current exploits impacting practically everybody who deals with a computer system or digital device. While this is a large statement, we at Ziften are working diligently helping our clients find susceptible assets, fixing those vulnerable systems, and monitoring systems after the repair […] Continue reading →