├── LICENSE ├── README.md ├── TA18-074A_hashes ├── TA18-074A_network_connections ├── WMIC_process_call_create ├── common_double_extensions ├── hidden_powershell ├── lazagne ├── persistence_using_GlobalFlags ├── powershell_base64_decode ├── schema └── sticky_keys /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Windows Defender ATP - Advanced Hunting Queries 2 | 3 | You can find the Azure Log Analytics Query Language Reference here: 4 | 5 | https://docs.loganalytics.io/docs/Language-Reference 6 | 7 | You can find the database schema, which isn't included in the Azure Log Analytics Query Language Reference, here: 8 | 9 | https://github.com/InfoSecC/WDATP-Advanced-Hunting/blob/master/schema 10 | -------------------------------------------------------------------------------- /TA18-074A_hashes: -------------------------------------------------------------------------------- 1 | // Finds TA18-074A IOCs, Filenames and SHA1 hashes from US-CERT Alert TA18-074A 2 | // https://www.us-cert.gov/ncas/alerts/TA18-074A 3 | ProcessCreationEvents 4 | | where EventTime > ago(7d) 5 | | where SHA1 in ("efdef52f017eaac4843aab506a39ac2dbf96aee5", "e1631cd86facb5724469c19c60729a8d12a00a7f", 6 | "092de09e2f346b81a84113734964ad10284f142d", "65fcc51f70b2213bce4d39de56646795fd62d169", 7 | "c8791bcebaea85e9129e706b22e3bda43f762e4a", "f9b72a2802d2a7ff33fd2d4bbcf41188724fcaa8", 8 | "b45d63d4d952e9a0715583f97a2d9edeb45ae74e", "a602b03555a505cfcfc4b5f4f716b2ba88ed4cd8", 9 | "3d36e477643375030431301abaccb8287b2eecce","64f0ac82ccc4a6def48d5f9079b7c146126c6464") or 10 | FileName in ("s.exe", "n.zip.dv9vpwt.partial", "Inveigh-Relay.ps1", "svcsrv.bat", 11 | "list.txt", "SD.bat", "ntdll.exe", "d.js", "Inveigh.ps1", "goo-AA021-1468346915-00-50-56-A5-34-B3.js") 12 | | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine 13 | | top 100 by EventTime 14 | -------------------------------------------------------------------------------- /TA18-074A_network_connections: -------------------------------------------------------------------------------- 1 | // Finds TA18-074A IOCs, IP addresses from US-CERT Alert TA18-074A 2 | // https://www.us-cert.gov/ncas/alerts/TA18-074A 3 | NetworkCommunicationEvents 4 | | where EventTime > ago(7d) 5 | | where RemoteIP in ( "2.229.10.193", "41.78.157.34", "176.53.11.130", "82.222.188.18", "130.25.10.158", 6 | "41.205.61.221", "193.213.49.115", "195.87.199.197", "167.114.44.14", "5.153.58.45", "187.130.251.249", 7 | "184.154.150.66", "5.150.143.107") 8 | | project EventTime, ComputerName, RemoteIP, RemoteUrl 9 | | top 100 by EventTime 10 | -------------------------------------------------------------------------------- /WMIC_process_call_create: -------------------------------------------------------------------------------- 1 | // Finds WMIC process call create events. 2 | ProcessCreationEvents 3 | | where EventTime > ago(7d) 4 | | where ProcessCommandLine has "WMIC" 5 | and ProcessCommandLine has "process call create" 6 | | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine 7 | | top 100 by EventTime 8 | -------------------------------------------------------------------------------- /common_double_extensions: -------------------------------------------------------------------------------- 1 | // Source: WDATP Shared Queries 2 | // Finds events that open executable files with fairly common socially engineered double extensions. 3 | ProcessCreationEvents 4 | | where EventTime > ago(7d) 5 | | where FileName endswith ".pdf.exe" 6 | or FileName endswith ".doc.exe" 7 | or FileName endswith ".docx.exe" 8 | or FileName endswith ".mp3.exe" 9 | | project EventTime, ComputerName, FileName, AccountSid, AccountName, AccountDomain 10 | | top 100 by EventTime 11 | -------------------------------------------------------------------------------- /hidden_powershell: -------------------------------------------------------------------------------- 1 | // Source: WDATP Shared Queries 2 | // Finds all PowerShell execution events wherein the PowerShell window has been explicitly hidden. 3 | ProcessCreationEvents 4 | | where EventTime > ago(7d) 5 | | where InitiatingProcessFileName =~ "powershell.exe" 6 | | where InitiatingProcessCommandLine has "-Command" 7 | | where InitiatingProcessCommandLine has "-w hidden" or InitiatingProcessCommandLine has "-windowstyle hidden" 8 | | project EventTime, ComputerName, InitiatingProcessCommandLine 9 | | top 100 by EventTime 10 | -------------------------------------------------------------------------------- /lazagne: -------------------------------------------------------------------------------- 1 | // Finds LaZagne Credential Dumper Usage 2 | ProcessCreationEvents 3 | | where EventTime > ago(7d) 4 | | where SHA1 in ("b4ffdf4a67c3b5343e07e581ec7aa1d6a3514569") or FileName in ("laZagne.exe") 5 | | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine 6 | | top 100 by EventTime 7 | -------------------------------------------------------------------------------- /persistence_using_GlobalFlags: -------------------------------------------------------------------------------- 1 | // Looks for persistence using GlobalFlags @oddvarmoe 2 | // https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/amp/ 3 | ProcessCreationEvents 4 | | where EventTime > ago(7d) 5 | | where ProcessCommandLine has "werfault.exe" 6 | and ProcessCommandLine has "-s -t" 7 | | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine 8 | | top 100 by EventTime 9 | -------------------------------------------------------------------------------- /powershell_base64_decode: -------------------------------------------------------------------------------- 1 | // Source: @JohnLaTwC - Twitter 2 | ProcessCreationEvents| where EventTime > ago(7d) 3 | | where FileName == "powershell.exe" and ProcessCommandLine contains " -e" 4 | | extend b64 = extract( "[A-Za-z0-9|+|/|=]{30,}", 0, ProcessCommandLine) 5 | | where strlen(b64)> 30 6 | | extend utf8_decode= base64_decodestring(b64) | extend decode = replace ("\x00", "", utf8_decode) 7 | | project-away utf8_decode 8 | | where decode contains 'Gzip' or decode contains 'IEX' or decode contains 'Invoke-Expression' or decode contains '.Write' or decode contains'.MemoryStream' or decode contains 'Invoke-Command' or decode contains 'icm ' or decode contains 'scriptblock' 9 | | project EventTime, ComputerName, decode, ProcessCommandLine, AccountName , InitiatingProcessFileName, InitiatingProcessParentName 10 | | sort by decode 11 | -------------------------------------------------------------------------------- /schema: -------------------------------------------------------------------------------- 1 | AlertEvents 2 | AlertId 3 | EventTime 4 | MachineId 5 | ComputerName 6 | Severity 7 | Category 8 | Title 9 | ActionType 10 | ReportId 11 | SHA1 12 | FileName 13 | RemoteUrl 14 | RemoteIP 15 | 16 | ProcessCreationEvents 17 | EventTime 18 | MachineId 19 | ComputerName 20 | ActionType 21 | ReportId 22 | SHA1 23 | SHA256 24 | MD5 25 | FileName 26 | ProcessId 27 | ProcessCommandLine 28 | ProcessIntegrityLevel 29 | ProcessTokenElevation 30 | ProcessCreationTime 31 | FolderPath 32 | InitiatingProcessAccountDomain 33 | InitiatingProcessAccountName 34 | AccountSid 35 | AccountDomain 36 | AccountName 37 | InitiatingProcessAccountSid 38 | InitiatingProcessIntegrityLevel 39 | InitiatingProcessTokenElevation 40 | InitiatingProcessSHA1 41 | InitiatingProcessSHA256 42 | InitiatingProcessMD5 43 | InitiatingProcessFileName 44 | InitiatingProcessId 45 | InitiatingProcessCommandLine 46 | InitiatingProcessCreationTime 47 | InitiatingProcessFolderPath 48 | InitiatingProcessParentId 49 | InitiatingProcessParentName 50 | InitiatingProcessParentCreationTime 51 | 52 | NetworkCommunicationEvents 53 | EventTime 54 | MachineId 55 | ComputerName 56 | ActionType 57 | ReportId 58 | InitiatingProcessSHA1 59 | InitiatingProcessMD5 60 | InitiatingProcessFileName 61 | InitiatingProcessId 62 | InitiatingProcessCommandLine 63 | InitiatingProcessCreationTime 64 | InitiatingProcessFolderPath 65 | InitiatingProcessParentName 66 | InitiatingProcessParentId 67 | InitiatingProcessParentCreationTime 68 | RemoteIP 69 | RemotePort 70 | RemoteUrl 71 | LocalIP 72 | LocalPort 73 | InitiatingProcessAccountDomain 74 | InitiatingProcessAccountName 75 | InitiatingProcessAccountSid 76 | InitiatingProcessIntegrityLevel 77 | InitiatingProcessTokenElevation 78 | 79 | FileCreationEvents 80 | EventTime 81 | MachineId 82 | ComputerName 83 | ActionType 84 | ReportId 85 | SHA1 86 | SHA256 87 | MD5 88 | FileName 89 | FolderPath 90 | FileOriginUrl 91 | FileOriginReferrerUrl 92 | FileOriginIP 93 | InitiatingProcessAccountDomain 94 | InitiatingProcessAccountName 95 | InitiatingProcessAccountSid 96 | InitiatingProcessMD5 97 | InitiatingProcessSHA1 98 | InitiatingProcessFolderPath 99 | InitiatingProcessFileName 100 | InitiatingProcessId 101 | InitiatingProcessCommandLine 102 | InitiatingProcessCreationTime 103 | InitiatingProcessIntegrityLevel 104 | InitiatingProcessTokenElevation 105 | InitiatingProcessParentId 106 | InitiatingProcessParentName 107 | InitiatingProcessParentCreationTime 108 | 109 | RegistryEvents 110 | EventTime 111 | MachineId 112 | ComputerName 113 | ActionType 114 | ReportId 115 | InitiatingProcessAccountDomain 116 | InitiatingProcessAccountName 117 | InitiatingProcessAccountSid 118 | InitiatingProcessSHA1 119 | InitiatingProcessMD5 120 | InitiatingProcessFileName 121 | InitiatingProcessId 122 | InitiatingProcessCommandLine 123 | InitiatingProcessCreationTime 124 | InitiatingProcessFolderPath 125 | InitiatingProcessParentId 126 | InitiatingProcessParentName 127 | InitiatingProcessParentCreationTime 128 | InitiatingProcessIntegrityLevel 129 | InitiatingProcessTokenElevation 130 | RegistryKey 131 | RegistryKeyValueType 132 | RegistryKeyValueName 133 | RegistryKeyValueData 134 | RegistryKeyPreviousKeyValueName 135 | RegistryKeyPreviousKeyValueData 136 | 137 | LogonEvents 138 | EventTime 139 | MachineId 140 | ComputerName 141 | ActionType 142 | ReportId 143 | AccountName 144 | AccountDomain 145 | AccountSid 146 | LogonType 147 | 148 | ImageLoadEvents 149 | EventTime 150 | MachineId 151 | ComputerName 152 | ActionType 153 | ReportId 154 | SHA1 155 | MD5 156 | FileName 157 | FolderPath 158 | InitiatingProcessAccountDomain 159 | InitiatingProcessAccountName 160 | InitiatingProcessAccountSid 161 | InitiatingProcessIntegrityLevel 162 | InitiatingProcessTokenElevation 163 | InitiatingProcessSHA1 164 | InitiatingProcessMD5 165 | InitiatingProcessFileName 166 | InitiatingProcessId 167 | InitiatingProcessCommandLine 168 | InitiatingProcessCreationTime 169 | InitiatingProcessFolderPath 170 | InitiatingProcessParentId 171 | InitiatingProcessParentName 172 | InitiatingProcessParentCreationTime 173 | 174 | MiscEvents 175 | EventTime 176 | MachineId 177 | ComputerName 178 | ActionType 179 | ReportId 180 | SHA1 181 | MD5 182 | InitiatingProcessSHA1 183 | InitiatingProcessSHA256 184 | InitiatingProcessFileName 185 | InitiatingProcessFolderPath 186 | InitiatingProcessId 187 | InitiatingProcessCommandLine 188 | InitiatingProcessCreationTime 189 | InitiatingProcessParentId 190 | InitiatingProcessParentName 191 | InitiatingProcessParentCreationTime 192 | InitiatingProcessMD5 193 | InitiatingProcessAccountDomain 194 | InitiatingProcessAccountName 195 | InitiatingProcessAccountSid 196 | FileName 197 | FolderPath 198 | AccountName 199 | AccountDomain 200 | RemoteUrl 201 | AdditionalFields 202 | -------------------------------------------------------------------------------- /sticky_keys: -------------------------------------------------------------------------------- 1 | // Source: @JohnLaTwC - Twitter 2 | // Finds events related to sticky keys exploit 3 | let PrevalentEXEHash = ProcessCreationEvents 4 | | where EventTime > ago(7d) 5 | | where FileName=~ 'cmd.exe' 6 | | summarize count(ComputerName) by SHA1 7 | | where count_ComputerName > 1000; 8 | PrevalentEXEHash | join kind=inner 9 | ( 10 | ProcessCreationEvents 11 | | project SHA1, ComputerName , ProcessCommandLine , FileName, EventTime 12 | | where EventTime > ago(1d) 13 | | where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe") 14 | ) on SHA1 15 | --------------------------------------------------------------------------------