diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 727cdd7358..70648b8b39 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -57,7 +57,34 @@ NetworkCommunicationEvents The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID. - +### Commandlines may vary - when applicable, filter on file names and do fuzzy matching +There are many possible ways to specify a commandline that will do exactly the same thing, but will look different. +In example, the attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, etc. +Also, the attacker could change the order of some parameters, add many quotes or spaces, and much more. + +To create more durable queries on commandlines, it is recommended to: +- Identify known processes (such as net.exe, psexec.exe, etc.) by matching on the filename fields, instead of filtering on the commandline field. +- When querying for commandline arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple seperate contains operators. +- Do case insensitive matches. E.g. use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs' +- To mitigate DOS commandline obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. + +In example, here is a non-durable query for using net.exe to stop the Windows Defender Firewall service: +``` +// Non-durable query - do not use +ProcessCreationEvents +| where ProcessCommandLine == "net stop MpsSvc" +| limit 10 + +// Better query - filters on filename, does case-insensitive matches +ProcessCreationEvents +| where FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" + +// Best query also ignores quotes +ProcessCreationEvents +| where FileName in~ ("net.exe", "net1.exe") +| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) +| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" +``` >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)