From 813473499295c69199aaf70dfda5b9feabfdc5ec Mon Sep 17 00:00:00 2001 From: Tomer Alpert Date: Tue, 10 Apr 2018 08:15:17 +0000 Subject: [PATCH 1/3] Added advanced hunting best practice --- ...ows-defender-advanced-threat-protection.md | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 727cdd7358..3a66d7946b 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -57,7 +57,34 @@ NetworkCommunicationEvents The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID. - +### Commandlines may vary - when applicable, filter on file names and do fuzzy matching on the commandline +There are many possible ways to specify a commandline that will do exactly the same thing, but will look different. +In example, the attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, etc. +Also, the attacker could change the order of some parameters, add many quotes or spaces, and much more. + +To create more durable queries on commandlines, it is recommended to: +- Identify known processes (such as net.exe, psexec.exe, etc.) by matching on the filename fields, instead of filtering on the commandline field. +- When querying for commandline arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple seperate contains operators. +- Do case insensitive matches. E.g. use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs' +- To mitigate DOS commandline obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. + +In example, here is a non-durable query for using net.exe to stop the Windows Defender Firewall service: +``` +// Non-durable query - do not use +ProcessCreationEvents +| where ProcessCommandLine == "net stop MpsSvc" +| limit 10 + +// Better query - filters on filename, does case-insnsitive matches +ProcessCreationEvents +| where FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" + +// Best query also ignores quotes +ProcessCreationEvents +| where FileName in~ ("net.exe", "net1.exe") +| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) +| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "WinDefend" +``` >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) From 0d49b10d6354a189d4e63860f3324406a43a87b2 Mon Sep 17 00:00:00 2001 From: Tomer Alpert Date: Tue, 10 Apr 2018 08:20:47 +0000 Subject: [PATCH 2/3] minor updates to advanced hunting best practice text --- ...t-practices-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 3a66d7946b..de8736b0ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -57,7 +57,7 @@ NetworkCommunicationEvents The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID. -### Commandlines may vary - when applicable, filter on file names and do fuzzy matching on the commandline +### Commandlines may vary - when applicable, filter on file names and do fuzzy matching There are many possible ways to specify a commandline that will do exactly the same thing, but will look different. In example, the attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, etc. Also, the attacker could change the order of some parameters, add many quotes or spaces, and much more. @@ -83,7 +83,7 @@ ProcessCreationEvents ProcessCreationEvents | where FileName in~ ("net.exe", "net1.exe") | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) -| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "WinDefend" +| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) From cf9ef65dc118dc4d232738a129124065f42bf77f Mon Sep 17 00:00:00 2001 From: Tomer Alpert Date: Tue, 10 Apr 2018 08:23:55 +0000 Subject: [PATCH 3/3] Fix typo --- ...est-practices-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index de8736b0ff..70648b8b39 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -75,7 +75,7 @@ ProcessCreationEvents | where ProcessCommandLine == "net stop MpsSvc" | limit 10 -// Better query - filters on filename, does case-insnsitive matches +// Better query - filters on filename, does case-insensitive matches ProcessCreationEvents | where FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"