A Look Inside Windows Defender ATP And Its Great Hunting Power – Charles Leaver

By | May 17, 2018

Written By Josh Harrimen And Presented By Charles Leaver


Following on from our recent collaboration announcement with Microsoft, our Ziften Security Research team has begun leveraging an extremely fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run inquiries in line with the information that has been sent by products and tools, for example Ziften, to find intriguing behaviors quickly. These queries can be saved and shared among the user base of Windows Defender ATP users.

We have actually added a handful of shared queries so far, however the results are rather interesting, and we like the ease of use of the hunting user interface. Because Ziften sends out endpoint data collected from Linux and macOS systems to Windows Defender ATP, we are concentrating on those OS in our query advancement efforts to showcase the complete protection of the platform.

You can access the Advanced Hunting user interface by choosing the database icon on the left-hand side as shown in the image below.

You can observe the top-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and developed some inquiries to find that data and produce the results for investigation. An example of this was OceanLotus. We developed a small number of queries to find both the dropper and files connected with this threat.

After running the inquiries, you get results with which you can interact with.

Upon inspection of the outcomes, we see some systems that have shown the looked for habits. When you select these systems, you can view the information of the system under examination. From there you can view signals set off and a timeline of events. Information from the harmful process are revealed below.

Additional behavior based inquiries can likewise be run. For instance, we executed another destructive sample which leveraged a couple of strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS which was disabled from the command line. While this action may be an administrative action, it is certainly something you would like to know is taking place within your environment.

From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.

This blog post certainly does not act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together rapidly to share our excitement about how easy it is to utilize this function to conduct your own customized threat searching in a multi-system environment, and across Linux, Windows and macOS systems.

We look forward to sharing more of our experimentation and research studies utilizing queries built utilizing the Advanced Searching function. We share our successes with everyone here, so look out for future posts.

Leave a Reply

Your email address will not be published. Required fields are marked *