deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

minor updates to advanced hunting best practice text

Browse Source
This commit is contained in:
Tomer Alpert 2018-04-10 08:20:47 +00:00
parent 8134734992
commit 0d49b10d63
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
View File

@ -57,7 +57,7 @@ NetworkCommunicationEvents
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
### Commandlines may vary - when applicable, filter on file names and do fuzzy matching on the commandline
### Commandlines may vary - when applicable, filter on file names and do fuzzy matching
There are many possible ways to specify a commandline that will do exactly the same thing, but will look different.
In example, the attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, etc.
Also, the attacker could change the order of some parameters, add many quotes or spaces, and much more.
@ -83,7 +83,7 @@ ProcessCreationEvents
ProcessCreationEvents
| where FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "WinDefend"
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)