profile
viewpoint

lomayor/IntuneDocs 0

Public repo for Intune content in OPS

lomayor/Microsoft-threat-protection-Hunting-Queries 0

Sample queries for Advanced hunting in Microsoft Threat Protection

lomayor/windows-itpro-docs 0

This is used for contributions to the Windows 10 TechNet content for IT professionals.

issue closedMicrosoftDocs/microsoft-365-docs

Missing Information for DeviceTvmSecureConfiguratonAssessment Table

Hi, it looks like this page is missing a description and information for the "Context" column, which contains important information related to the Antivirus Signature. When will it be updated?


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

closed time in 2 days

waltgithub

issue commentMicrosoftDocs/microsoft-365-docs

Missing Information for DeviceTvmSecureConfiguratonAssessment Table

@yogkumgit I'll update this article today to add three columns. Will close when done. Thanks.

waltgithub

comment created time in 2 days

issue commentMicrosoftDocs/microsoft-365-docs

Opt out option not available

@yogkumgit, confirmed. Please remove this section:

Turn off Microsoft Threat Protection To stop using Microsoft Threat Protection, go to Settings > Microsoft Threat Protection > Opt-in / Opt-out in the Microsoft 365 security center. Unselect Turn on Microsoft Threat Protection and apply the changes.

Corresponding features will be removed from the Microsoft 365 security center.

bledMS82

comment created time in 2 days

issue commentMicrosoftDocs/microsoft-365-docs

Missing Information for DeviceTvmSecureConfiguratonAssessment Table

@yogkumgit I'll get back to you after I confirm this change with the product team.

waltgithub

comment created time in 5 days

issue commentMicrosoftDocs/microsoft-365-docs

Opt out option not available

@yogkumgit ... I'll need to verify this with the PM. Please wait for a little bit.

bledMS82

comment created time in 5 days

push eventMicrosoftDocs/windows-itpro-docs

angela-em

commit sha c97ac9b1cfa55416bdfdba68ef9cb9331f6e054e

Specify Expected Behavior for Username/Password Setting As an Intune SE, we receive a lot of cases for this OMA-URI setting. Customers use it to create a local admin account for Intune enrolled devices but it always reports as failed. By including this information, we can set the expectation and prevent future cases.

view details

Louie Mayor

commit sha d1bf652c6d49681a474d5d48d4ac93f10b020375

Merge pull request #8498 from angela-em/patch-1 Specify Expected Behavior for Username/Password Setting

view details

push time in 5 days

PR merged MicrosoftDocs/windows-itpro-docs

Specify Expected Behavior for Username/Password Setting client management

As an Intune SE, we receive a lot of cases for this OMA-URI setting. Customers use it to create a local admin account for Intune enrolled devices but it always reports as failed. By including this information, we can set the expectation and prevent future cases.

+1 -0

1 comment

1 changed file

angela-em

pr closed time in 5 days

PR closed MicrosoftDocs/windows-itpro-docs

Update query microsoft defender atp

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8095 Source: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914

+1 -1

2 comments

1 changed file

MaratMussabekov

pr closed time in a month

pull request commentMicrosoftDocs/windows-itpro-docs

Update query

Closing. This same issue has been addressed in https://github.com/MicrosoftDocs/windows-itpro-docs/pull/8127

MaratMussabekov

comment created time in a month

push eventMicrosoftDocs/windows-itpro-docs

Ben McGarry

commit sha 8d5aefa6bf00959945fe756b7498b6d5250ece13

Update WDAC hunting query Existing query does not appear to work within WDATP Advanced hunting, this updates the query to return the expected result.

view details

Louie Mayor

commit sha 5b734f1100783c924bb79294ff84984ee0742fc0

Merge pull request #8127 from BenMcGarry/patch-1 Update WDAC hunting query

view details

push time in a month

PR merged MicrosoftDocs/windows-itpro-docs

Update WDAC hunting query microsoft defender application control

Existing query does not appear to work within WDATP Advanced hunting, this updates the query to return the expected result.

+3 -3

0 comment

1 changed file

BenMcGarry

pr closed time in a month

PullRequestReviewEvent

Pull request review commentmicrosoft/Microsoft-threat-protection-Hunting-Queries

PowerShell Empire related pages

+# Detect Base64-encoded PowerShell process and network creation commands++This query was originally published in the threat analytics report, *Hunting for PowerShell Empire*++[PowerShell Empire](https://www.powershellempire.com/) is a modular toolkit used both by penetration testers and malicious actors. It offers a wide range of attack techniques, and has been observed in numerous attacks.++The following query detects Base64-encoded PowerShell commands that are either process creation or network events. This can identify common techniques, such as [Kerberoasting](https://docs.microsoft.com/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038).++More queries related to PowerShell Empire are listed under the [See also](#see-also) section below.++## Query++```Kusto+union DeviceProcessEvents, DeviceNetworkEvents+| where Timestamp > ago(1d)+// Pivot on PowerShell processes+| where InitiatingProcessFileName  in~("powershell.exe", "powershell_ise.exe")+// Look for -encodedcommands, which can be +// abbreviated all the way down to just -e+| where InitiatingProcessCommandLine hasprefix "-e"+// Split the commands on spaces+| extend SplitString = split(InitiatingProcessCommandLine, " ")+// Move the results into an array+| mvexpand SS = SplitString +// Look for Base64 based on regex pattern+| where SS matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"+// Decode Base64 and removing nul character+| extend DecodeString = replace("\\0", "", base64_decodestring(tostring(SS)))+// Check decoded string for Invoke or IEX+| where DecodeString has_any("iex", "invoke")+// Check for specific tokens or combinations +// - update this for querying other tokens of interest in your environment+| where DecodeString has_any(+"locklogging", // ScriptBlock logging command often observed+".php") // Specified C2 domain, usually PHP +or DecodeString has "join" and DecodeString has "char[]"+or DecodeString has "kerberoast"+```++## Category++This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.++| Technique, tactic, or state | Covered? (v=yes) | Notes |+|-|-|-|+| Initial access |  |  |+| Execution | v |  |+| Persistence |  |  |+| Privilege escalation |  |  |+| Defense evasion | v |  |+| Credential Access |  |  |

@martyav @endisphotic Credential access for Kerberoasting?

martyav

comment created time in 2 months

PullRequestReviewEvent

Pull request review commentmicrosoft/Microsoft-threat-protection-Hunting-Queries

PowerShell Empire related pages

+# Detect Base64-encoded PowerShell process and network creation commands++This query was originally published in the threat analytics report, *Hunting for PowerShell Empire*++[PowerShell Empire](https://www.powershellempire.com/) is a modular toolkit used both by penetration testers and malicious actors. It offers a wide range of attack techniques, and has been observed in numerous attacks.++The following query detects Base64-encoded PowerShell commands that are either process creation or network events. This can identify common techniques, such as [Kerberoasting](https://docs.microsoft.com/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038).

@martyav @endisphotic, should we point this to:

https://attack.mitre.org/techniques/T1558/003/

martyav

comment created time in 2 months

PullRequestReviewEvent

push eventmicrosoft/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 19cd6a93149a0eef071cf8388bbb018b3b1d5c19

ryuk related pages

view details

Marty Hernandez Avedon

commit sha dab69deffcac2c45d91f3d46e9c9ce6e1b020a42

fixed file paths

view details

Louie Mayor

commit sha 07fdef2353370677043066bd81a7c0dc9a129761

Update cobalt-strike-invoked-w-wmi.md

view details

Louie Mayor

commit sha cc7b7b85970875b51d6a2104e128c73076512f12

Update lazagne.md

view details

Louie Mayor

commit sha 2cf58270c37e7cd90fd5d71494ebe6c7b3d700d5

Update remote-file-creation-with-psexec.md

view details

Louie Mayor

commit sha b8dcada03e3d223b33162b433c0a2eafe8869703

Merge pull request #234 from martyav/ryuk ryuk related pages

view details

push time in 2 months

PR merged microsoft/Microsoft-threat-protection-Hunting-Queries

ryuk related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218 #229, #230, #231, #233

+184 -0

0 comment

3 changed files

martyav

pr closed time in 2 months

PullRequestReviewEvent

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Louie Mayor

commit sha 2cf58270c37e7cd90fd5d71494ebe6c7b3d700d5

Update remote-file-creation-with-psexec.md

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Louie Mayor

commit sha cc7b7b85970875b51d6a2104e128c73076512f12

Update lazagne.md

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Louie Mayor

commit sha 07fdef2353370677043066bd81a7c0dc9a129761

Update cobalt-strike-invoked-w-wmi.md

view details

push time in 2 months

Pull request review commentmicrosoft/Microsoft-threat-protection-Hunting-Queries

ryuk related pages

+# Detect Cobalt Strike invoked via WMI++This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).++[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.

Much like*

martyav

comment created time in 2 months

PullRequestReviewEvent

push eventmicrosoft/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha fed4a12b446ed7144198717c5eb32b859308c39c

wadharama related pages

view details

Louie Mayor

commit sha 97f730eef6a76b78470c56730c6d28e0cbe18ed8

Merge pull request #204 from martyav/wadhrama Wadharama related pages

view details

push time in 2 months

PR merged microsoft/Microsoft-threat-protection-Hunting-Queries

Wadharama related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203

+170 -0

0 comment

3 changed files

martyav

pr closed time in 2 months

PullRequestReviewEvent

Pull request review commentMicrosoftDocs/windows-itpro-docs

added new link in related topics

 Table and column names are also listed within the Microsoft Defender Security Ce - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md) - [Learn the query language](advanced-hunting-query-language.md)+- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
RAJU2529

comment created time in 3 months

push eventMicrosoftDocs/microsoft-365-docs

MaratMussabekov

commit sha bf4552d478cfc81b7983a85174de690c00174329

Update advanced-hunting-overview.md

view details

MaratMussabekov

commit sha 2a6307a1f5455c2b21a6376c714ee1a4194dbec9

Update advanced-hunting-overview.md

view details

Louie Mayor

commit sha eed204a94145c51a0a3a7ff0e41c5b250cca6224

Merge pull request #2465 from MaratMussabekov/patch-45 added reference to hunting in MDATP

view details

push time in 3 months

PR merged MicrosoftDocs/microsoft-365-docs

added reference to hunting in MDATP security

https://github.com/MicrosoftDocs/microsoft-365-docs/issues/2312

+1 -1

2 comments

1 changed file

MaratMussabekov

pr closed time in 3 months

push eventMicrosoftDocs/microsoft-365-docs

Sriraman M S

commit sha 79dfde4ee96cc4d2a5bbc595f8daf2a311f44af6

Update portals.md Changed link from intune to endpoint manager admin center

view details

Sriraman M S

commit sha 938fcb59c3a2a69461c744ee4de022f3428be91b

Update microsoft-365/security/mtp/portals.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

view details

Louie Mayor

commit sha 3e6b15fc922082511d214d9757988e3a43ca4001

Merge pull request #2526 from msbemba/patch-116 Update portals.md

view details

push time in 3 months

PR merged MicrosoftDocs/microsoft-365-docs

Update portals.md security

Changed link from intune to endpoint manager admin center

+1 -1

3 comments

1 changed file

msbemba

pr closed time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

SEO update to mtp-enable

 search.appverid:  Microsoft Threat Protection automatically turns on when eligible customers with the required permissions visit Microsoft 365 security center. Read this article to understand various prerequisites and how Microsoft Threat Protection is provisioned. +>[!NOTE]+>To learn about Advanced Threat Protection, see [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide).+

Remove. Does not make sense to add a link to O365 in this very prominent section. Also:

o “Advanced Threat Protection” is not an approved name for Office 365 ATP. In fact, there are other ATPs—Microsoft Defender ATP and Azure ATP. BTW, how do we know that searches for “ATP” are intended for Office 365 ATP? o While I understand this is inserted for SEO or to manage entries from organic searches for “ATP”, I feel this will read like “upsell” text that is too prominent and inserted out of context. Actually, it can be good that they landed on the MTP enablement page because MTP is a higher value superset that we want people to use vs the legacy OATP.

tuco-ulf

comment created time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

SEO update advanced-hunting-overview

 ms.custom: seo-marvel-apr2020  [!INCLUDE [Prerelease information](../includes/prerelease.md)] -Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.+Advanced hunting is a query-based cyber threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. -You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.+You can use the same cyber threat hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.

Revert. "cyber threat hunting" does not make sense as a modifier.

tuco-ulf

comment created time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

SEO update advanced-hunting-overview

 --- title: Overview - Advanced hunting-description: Learn about advanced hunting queries in Microsoft 365 and how to use them to proactively find threats and weaknesses in your network+description: Learn about advanced hunting queries in Microsoft Threat Protection (MTP) and how to use them to proactively find threats and weaknesses in your network

MTP is not an approved short form

tuco-ulf

comment created time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

SEO update to mtp-enable

 ----title: Turn on Microsoft Threat Protection in the Microsoft 365 security center-description: Learn how to enable Microsoft Threat Protection and start integrating your security incident and response. +title: Turn on Microsoft Threat Protection - Microsoft 365 security+description: Learn how to enable Microsoft Threat Protection (MTP) and start integrating your security incident and response. 

MTP is not an approved short form

tuco-ulf

comment created time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

added reference to hunting in MDATP

 Advanced hunting is a query-based threat-hunting tool that lets you explore up t  You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. -In the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, [turn on Microsoft Threat Protection](mtp-enable.md).+The feature is similar to the [advanced hunting in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview), except that in the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, [turn on Microsoft Threat Protection](mtp-enable.md).

@yogkumgit, please apply the minor change before I merge.

MaratMussabekov

comment created time in 3 months

Pull request review commentMicrosoftDocs/microsoft-365-docs

added reference to hunting in MDATP

 Advanced hunting is a query-based threat-hunting tool that lets you explore up t  You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. -In the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, [turn on Microsoft Threat Protection](mtp-enable.md).+The feature is similar to the [advanced hunting in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview), except that in the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, [turn on Microsoft Threat Protection](mtp-enable.md).

Remove "the" before publishing:

The feature is similar to the advanced hunting in Microsoft Defender ATP, except...

MaratMussabekov

comment created time in 3 months

more