deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4

Browse Source
This commit is contained in:
Joey Caparas 2018-04-10 13:41:58 -07:00
commit 5554084371
1 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
View File

@ -57,7 +57,34 @@ NetworkCommunicationEvents
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
### Commandlines may vary - when applicable, filter on file names and do fuzzy matching
There are many possible ways to specify a commandline that will do exactly the same thing, but will look different.
In example, the attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, etc.
Also, the attacker could change the order of some parameters, add many quotes or spaces, and much more.
To create more durable queries on commandlines, it is recommended to:
- Identify known processes (such as net.exe, psexec.exe, etc.) by matching on the filename fields, instead of filtering on the commandline field.
- When querying for commandline arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple seperate contains operators.
- Do case insensitive matches. E.g. use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
- To mitigate DOS commandline obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
In example, here is a non-durable query for using net.exe to stop the Windows Defender Firewall service:
```
// Non-durable query - do not use
ProcessCreationEvents
| where ProcessCommandLine == "net stop MpsSvc"
| limit 10
// Better query - filters on filename, does case-insensitive matches
ProcessCreationEvents
| where FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
// Best query also ignores quotes
ProcessCreationEvents
| where FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)