Written By Josh Harrimen And Presented By Chuck Leaver
Following on the heels of our current collaboration statement with Microsoft, our Ziften Security Research team has started leveraging an extremely cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run inquiries in line with the information that has actually been sent by products and tools, like Ziften, to discover fascinating behaviors quickly. These queries can be saved and shared amongst the community of Windows Defender ATP users.
We have actually included a handful of shared inquiries so far, however the results are rather intriguing, and we love the ease of use of the searching user interface. Because Ziften sends out endpoint data gathered from macOS and Linux systems to Windows Defender ATP, we are concentrating on those OS in our query advancement efforts to display the total coverage of the platform.
You can access the Advanced Searching interface by choosing the database icon on the left-hand side as revealed in the image below.
You can observe the top-level schema on the top left of that page with events such as Machineinfo, ProcessCreation, NetworkCommunication and some others. We ran some current malware within our Redlab and developed some inquiries to discover that data and create the outcomes for investigation. An example of this was OceanLotus. We created a few queries to find both the dropper and files associated with this danger.
After running the inquiries, you get outcomes with which you can interact with.
Upon evaluation of the outcomes, we see some systems that have shown the searched for habits. When you pick these systems, you can view the information of the system in question. From there you can view notifications set off and an event timeline. Details from the harmful procedure are revealed below.
Extra behavior based inquiries can likewise be run. For instance, we executed another malicious sample which leveraged a few methods that we queried. The screenshot directly below reveals an inquiry we ran when searching for the Gatekeeper program on a macOS being disabled from the command line. While this action may be an administrative action, it is definitely something you would need to know is occurring within your environment.
From these query outcomes, you can once again select the system under examination and continue to investigate the suspicious behaviors.
This blog definitely does not act as an in-depth tutorial on using the Advanced Searching feature within the Windows Defender Advanced Threat Protection platform. But we wanted to put something together rapidly to share our excitement about how easy it is to take advantage of this function to conduct your own custom-made danger searching in a multi-system environment, and across Linux, Windows and macOS systems.
We eagerly anticipate sharing more of our experiments and research utilizing queries constructed using the Advanced Searching feature. We share our successes with everybody here, so look out for future posts.