profile
viewpoint
Marty Hernandez Avedon martyav Microsoft New York, New York https://martyav.github.io/ I write, I code, I draw. @microsoft technical writer on security issues, including ITPro docs, threat intelligence reports, and blogs

martyav/AC3.2-weLearn 1

Our 2017 capstone project, chosen to demo at C4Q's annual gala. When weLearn, everybody wins!

martyav/algoReview 1

Solutions to coding challenges in mostly Swift and Javascript

martyav/AC-DSA 0

Data Structures and Algorithms Curriculum

martyav/AC-iOS-MidProgramAssessment 0

Can I make post and get requests? I sure hope so.

martyav/AC-iOS-Unit2Final 0

Can I make a tableview and pass information over a segue? I sure hope so.

pull request commentmicrosoft/Microsoft-365-Defender-Hunting-Queries

added cobalt strike page

@tali-ash I recently updated the query to address your suggestion.

martyav

comment created time in 6 days

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 73d9a2fcc196c133187aa2e26dfc51d39b245d04

Update cobalt-strike.md "Can you please change to AlertInfo table in MTP, the DeviceAlertEvents table is MDATP one and going to be deprecated."

view details

push time in 6 days

pull request commentmicrosoft/Microsoft-365-Defender-Hunting-Queries

added misc pages related to ransomware techniques

@tali-ash I recently pushed a commit addressing your suggestion.

martyav

comment created time in 6 days

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 616bbcc7d3b8ec7254d6fadc7f4b070416b1279a

Update backup-deletion.md "In Impact/backup-deletion.md can you please change the table to be AlertsInfo, the MTP table? The MDATP table is going to be deprecated."

view details

push time in 6 days

PR opened MicrosoftDocs/windows-itpro-docs

clarifying behavior on network shares

I'm an internal contributor. I had a request to update this page because there was customer confusion about what turning on network sharing does and doesn't do.

In the Note: If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus

We need to ensure we also mention that files on network shares will also be scanned when executed from a machine that has RTP/on access enabled. Customers are under the impression that with network scanning turned off, we will not scan anything on a network share ever.

+2 -2

0 comment

1 changed file

pr created time in 18 days

create barnchmartyav/windows-itpro-docs

branch : configure-scanning-options

created branch time in a month

push eventMicrosoftDocs/windows-itpro-docs

Marty Hernandez Avedon

commit sha a206de202a9b2aa24bd56016814b2de971a543f2

Update run-scan-microsoft-defender-antivirus.md Another internal ask, to specify the context of local and network scans

view details

push time in a month

PR opened MicrosoftDocs/windows-itpro-docs

edits for linux exclusions

I'm an internal contributor. Got a request to slightly update the Linux exclusions page (adding notes and a code snippet). Putting the PR in the public repo for ease of access.

+13 -0

0 comment

1 changed file

pr created time in a month

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha a333ae1ebd995ce84d7791233e7d745a454e8cd9

rm'd empty section

view details

push time in a month

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 66d26a8abe62a1f381bdad2bcb32da8964466d84

fixed links

view details

push time in a month

Pull request review commentmicrosoft/Microsoft-threat-protection-Hunting-Queries

PowerShell Empire related pages

+# Detect Base64-encoded PowerShell process and network creation commands++This query was originally published in the threat analytics report, *Hunting for PowerShell Empire*++[PowerShell Empire](https://www.powershellempire.com/) is a modular toolkit used both by penetration testers and malicious actors. It offers a wide range of attack techniques, and has been observed in numerous attacks.++The following query detects Base64-encoded PowerShell commands that are either process creation or network events. This can identify common techniques, such as [Kerberoasting](https://docs.microsoft.com/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038).++More queries related to PowerShell Empire are listed under the [See also](#see-also) section below.++## Query++```Kusto+union DeviceProcessEvents, DeviceNetworkEvents+| where Timestamp > ago(1d)+// Pivot on PowerShell processes+| where InitiatingProcessFileName  in~("powershell.exe", "powershell_ise.exe")+// Look for -encodedcommands, which can be +// abbreviated all the way down to just -e+| where InitiatingProcessCommandLine hasprefix "-e"+// Split the commands on spaces+| extend SplitString = split(InitiatingProcessCommandLine, " ")+// Move the results into an array+| mvexpand SS = SplitString +// Look for Base64 based on regex pattern+| where SS matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"+// Decode Base64 and removing nul character+| extend DecodeString = replace("\\0", "", base64_decodestring(tostring(SS)))+// Check decoded string for Invoke or IEX+| where DecodeString has_any("iex", "invoke")+// Check for specific tokens or combinations +// - update this for querying other tokens of interest in your environment+| where DecodeString has_any(+"locklogging", // ScriptBlock logging command often observed+".php") // Specified C2 domain, usually PHP +or DecodeString has "join" and DecodeString has "char[]"+or DecodeString has "kerberoast"+```++## Category++This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.++| Technique, tactic, or state | Covered? (v=yes) | Notes |+|-|-|-|+| Initial access |  |  |+| Execution | v |  |+| Persistence |  |  |+| Privilege escalation |  |  |+| Defense evasion | v |  |+| Credential Access |  |  |

Added in the latest commit

martyav

comment created time in a month

PullRequestReviewEvent

Pull request review commentmicrosoft/Microsoft-threat-protection-Hunting-Queries

PowerShell Empire related pages

+# Detect Base64-encoded PowerShell process and network creation commands++This query was originally published in the threat analytics report, *Hunting for PowerShell Empire*++[PowerShell Empire](https://www.powershellempire.com/) is a modular toolkit used both by penetration testers and malicious actors. It offers a wide range of attack techniques, and has been observed in numerous attacks.++The following query detects Base64-encoded PowerShell commands that are either process creation or network events. This can identify common techniques, such as [Kerberoasting](https://docs.microsoft.com/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038).

I updated this with the latest commit

martyav

comment created time in a month

PullRequestReviewEvent

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha dd4e530c4e9e26b74110c1530ab9ced598232e6f

link changed, new category

view details

push time in a month

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

.jse related techniques

art of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196, #198, #202, #203, #204, #205, #206, #207, #208, #209, #214, #215, #218, #229, #230, #231, #233, #234

+94 -0

0 comment

2 changed files

pr created time in a month

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha dab69deffcac2c45d91f3d46e9c9ce6e1b020a42

fixed file paths

view details

push time in a month

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

ryuk related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218 #229, #230, #231, #233

+184 -0

0 comment

3 changed files

pr created time in a month

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : ryuk

created branch time in a month

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

files related to doppelpaymer

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218 #229, #230, #231

+216 -0

0 comment

4 changed files

pr created time in a month

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added misc pages related to ransomware techniques

art of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218 #229, #230

+271 -0

0 comment

5 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha dba85b11b558ed85b1dd830219bd67c31c0ab495

pages related to doublepulsar

view details

Marty Hernandez Avedon

commit sha d1ab1f7c4df554ae46e66b536009f7d012e00d9a

fixed link

view details

tali-ash

commit sha ba13711f6817928092d42fa70a65c4934721e255

Merge pull request #218 from martyav/martyav-miners pages related to doublepulsar

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added cobalt strike page

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218 #229

+66 -0

0 comment

1 changed file

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha b5f1f56d9db0156e7b6e6f04eac7a58a0f246378

sometimes the files are already on the target

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Michael Melone

commit sha 9844d7b638ab8ca706f37118c8452b6bc1b5e7ff

Create Endpoint Status Report.csl

view details

Marty Hernandez Avedon

commit sha 4e1fc568f1bc1396c5ff08c82a8c073a36ee49ee

added confluence-weblogic-targeted

view details

Marty Hernandez Avedon

commit sha fe0982dd99535453f29413001d074079653e9386

corrected chart

view details

Maarten Goet

commit sha 48be6ba3d1b21cacdbe9c2a584c8db72dff47e60

MTP advanced hunting Jupyter notebook MTP advanced hunting Jupyter notebook

view details

tali-ash

commit sha 92cbf2c1b648d3fa735e14f18a106897e0bab4e5

Merge pull request #217 from maartengoet/master MTP advanced hunting Jupyter notebook

view details

tali-ash

commit sha 314e846160e6dbfa1966201c75aae39195b16883

Merge pull request #216 from martyav/confluence-weblogic added confluence-weblogic-targeted

view details

tali-ash

commit sha 9007a1e2cb85daabe44cc605a4596a65434e30e1

Merge pull request #213 from microsoft/mjmelone-patch-38 Create Endpoint Status Report.csl

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added pages related to robbinhood

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215, #218

+90 -0

0 comment

2 changed files

pr created time in 2 months

PR opened MicrosoftDocs/OfficeDocs-SkypeForBusiness

updated loa for us forms

Re task https://office.visualstudio.com/MAX/_workitems/edit/4413485

https://docs.microsoft.com/en-us/microsoftteams/manage-phone-numbers-for-your-organization/phone-number-management-for-the-u-s

These requested update is for two downloadable files from this page to be updated (see attached for the current versions of the files)

+1 -1

0 comment

3 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha d1ab1f7c4df554ae46e66b536009f7d012e00d9a

fixed link

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

pages related to doublepulsar

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215

+140 -0

0 comment

2 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha fe0982dd99535453f29413001d074079653e9386

corrected chart

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added confluence-weblogic-targeted

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214, #215

+97 -0

0 comment

1 changed file

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha dc4d65386c406dd95b78b6a9a65cf94b0729cf7e

updated category chart

view details

push time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : ta-query-surfbuyer

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : may-2019-zero-days

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : fix-boilerplate

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : ta-cve-2020-0601

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : sql-server-abuse

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : locate-ALPC-local-privilege-elevation-exploit

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : ta-shadowhammer-attack

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : shadowhammer-activity

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : operation-softcell

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : osx-shlayer-adware

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : attacks-on-ngos-govt

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : exploit--cve-2018-8653

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : detect-office-products-launching-w-wmic

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : suspicious-mshta-usage

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : bluekeep-exploit

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : ironsource-pua

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : cve-2018-15982

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : msiexec-abuse

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : python-macos

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : winrar-exploit

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : patch-1

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : qakbot

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : mailsniper

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : cve-2019-0808

delete time in 2 months

delete branch martyav/Microsoft-threat-protection-Hunting-Queries

delete branch : wadhrama

delete time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added pages related to oceanlotus apt32

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209, #214

+174 -0

0 comment

2 changed files

pr created time in 2 months

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : oceanlotus

created branch time in 2 months

create barnchmartyav/windows-itpro-docs

branch : martyav-mem-schedule-a-scan

created branch time in 2 months

push eventmartyav/windows-itpro-docs

Marty Hernandez Avedon

commit sha 61029666539a08c54c1672e0dcb087ae525435f4

added link to using shell scripts in macos page

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 906bcb02ee78054831f7c976f0c7ff25d5b10f50

noting other name in title

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha f3713dc9bf2343785f9dfdff343c5e3b7fba3137

wording

view details

push time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha fed4a12b446ed7144198717c5eb32b859308c39c

wadharama related pages

view details

Louie Mayor

commit sha 97f730eef6a76b78470c56730c6d28e0cbe18ed8

Merge pull request #204 from martyav/wadhrama Wadharama related pages

view details

tali-ash

commit sha 4d4073bcfe0a0c10d2915f1ff7a703c022318c98

Create Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md

view details

billy-sec

commit sha 03690bb7984e306daa577afbf91281a400021d74

Update scheduled task creation.txt The original intent of the Sigma rule is to identify scheduled tasks created by user accounts, not the system account.

view details

tali-ash

commit sha 8131320f81f410e1683c50c37c326b159f884dde

Merge pull request #212 from billy-sec/patch-3 Update scheduled task creation.txt

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added Trickbot-related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208 #209

+94 -0

0 comment

2 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha f79db725c25d045f7a0cf55ab06f98dbea73de69

wording

view details

push time in 2 months

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : trickbot

created branch time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added pages related to dudear activity

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207, #208

+88 -0

0 comment

2 changed files

pr created time in 2 months

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : dudear

created branch time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added 2019-rdp-vulnerabilities

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206, #207

+63 -0

0 comment

1 changed file

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha b6805203451b863d7501da87a15246c47a2ad9d8

typo fix

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added wdigest-caching

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205, #206

+51 -0

0 comment

1 changed file

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha 26dcf90ca4c6d44f1b19d11fa8ea2ff510c6e885

changed title

view details

push time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added font-parsing-vulnerabilities.md

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204 #205,

+52 -0

0 comment

1 changed file

pr created time in 2 months

issue openedTheRenegadeCoder/sample-programs-website

Add Article for Fizz Buzz in Swift

Added code snippet but need to add article as well

created time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

added vpn-exploits.md

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203, #204

+56 -0

0 comment

1 changed file

pr created time in 2 months

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : vpn-exploits

created branch time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

Wadharama related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202, #203

+170 -0

0 comment

3 changed files

pr created time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

PowerShell Empire related pages

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198, #202

+420 -0

0 comment

6 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

Marty Hernandez Avedon

commit sha a9a384566ab8acda878480b5adf277e5e2a3957d

added detect-nbtscan-activity-by-operation-soft-cell.md

view details

Marty Hernandez Avedon

commit sha 592569677a7b1e8fa2d6266898ef6de88dbc4b32

clarifications

view details

Marty Hernandez Avedon

commit sha 4e12b65dd23f5804631a07e9399446dc1d4c84bc

added detect-suspicious-commands-initiated-by-web-server-processes.md

view details

Marty Hernandez Avedon

commit sha 0bd4183a2542501e95b812672a4256cbb4c62554

added locate-shlayer-payload-decryption-activity.md

view details

Marty Hernandez Avedon

commit sha 1841446a83ba602992e02ff2a0c7b0eb36906e05

added detect-cyzfc-activity.md

view details

Marty Hernandez Avedon

commit sha f6ececd7212c164bbb18490f0306e32ccacd045c

added detect-exploitation-of-cve-2018-8653.md

view details

Marty Hernandez Avedon

commit sha 0574c423016dcc56eeef59fa0836c305e36e5c34

added detect-office-products-spawning-wmic.md

view details

Marty Hernandez Avedon

commit sha 307880b9480989ef386ec3c448a0b37c7977a30e

added detect-suspicious-mshta-usage.md

view details

Marty Hernandez Avedon

commit sha 5d4adac9d060bc35d424c4599165dfe367f0701e

added detect-suspicious-rdp-connections.md

view details

Marty Hernandez Avedon

commit sha 2173493af59a41bf8a2bb100fe64dbd774f2de34

missing title

view details

Marty Hernandez Avedon

commit sha eda85b1ba809a47b804ef6592a24671998038864

added detect-bluekeep-related-mining.md not so sure about classification

view details

Marty Hernandez Avedon

commit sha 6d7d61bd1bfaec42aac7a1f30cc0476707ebcc27

updated title

view details

Marty Hernandez Avedon

commit sha 6c1fd807c5d7de60514adfa26988e64b10217108

added c2-bluekeep.md

view details

Marty Hernandez Avedon

commit sha 2a889be93275c546e4cc753429f9daea9762fc14

added detect-bluekeep-exploitation-attempts.md

view details

Marty Hernandez Avedon

commit sha 269b7e0d61e045ec49b1a5771d9e930ad4cac3c6

typo

view details

Michael Melone

commit sha d6410594ae6f9854585234c0200d8ff591ebebcf

Create README.md

view details

Michael Melone

commit sha 745b60828d1c20f358db3ec58f0ccfbed958b1b0

Update Possible Ransomware Related Destruction Activity.csl

view details

Marty Hernandez Avedon

commit sha d69c608d009b3e74c39d808d22615865dc5ea9f8

added links to other bluekeep queries

view details

Marty Hernandez Avedon

commit sha e84adbce80dfe45e3c683223901d52a0d8f53d8f

added .\Persistence\detect-prifou-pua.md

view details

Michael Melone

commit sha 5930c413ecfecbf7ca486bf4c70a011a0df06816

Create Episode 2 - Joins.csl Slight update - added the union operator

view details

push time in 2 months

create barnchmartyav/Microsoft-threat-protection-Hunting-Queries

branch : wadhrama

created branch time in 2 months

issue closedmicrosoft/Microsoft-threat-protection-Hunting-Queries

Can't pull from branch because of file name

Hi.

When I try to pull the latest changes from the main branch, I keep getting an error:

invalid path 'Exfiltration/Data copied to other location than C:.txt'

Looks like Git is confused by this file name. Is there a work-around?

closed time in 2 months

martyav

push eventmartyav/drawing-pad

dependabot[bot]

commit sha 9d5fa1c3a72533763c5f95f5d307282d04038127

Bump elliptic from 6.4.1 to 6.5.3 Bumps [elliptic](https://github.com/indutny/elliptic) from 6.4.1 to 6.5.3. - [Release notes](https://github.com/indutny/elliptic/releases) - [Commits](https://github.com/indutny/elliptic/compare/v6.4.1...v6.5.3) Signed-off-by: dependabot[bot] <support@github.com>

view details

Marty Hernandez Avedon

commit sha fdd9478a7a0c05d97b257ca275f64d028cde0917

Merge pull request #15 from martyav/dependabot/npm_and_yarn/elliptic-6.5.3 Bump elliptic from 6.4.1 to 6.5.3

view details

push time in 2 months

PR merged martyav/drawing-pad

Bump elliptic from 6.4.1 to 6.5.3 dependencies

Bumps elliptic from 6.4.1 to 6.5.3. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/indutny/elliptic/commit/8647803dc3d90506aa03021737f7b061ba959ae1"><code>8647803</code></a> 6.5.3</li> <li><a href="https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec"><code>856fe4d</code></a> signature: prevent malleability and overflows</li> <li><a href="https://github.com/indutny/elliptic/commit/60489415e545efdfd3010ae74b9726facbf08ca8"><code>6048941</code></a> 6.5.2</li> <li><a href="https://github.com/indutny/elliptic/commit/9984964457c9f8a63b91b01ea103260417eca237"><code>9984964</code></a> package: bump dependencies</li> <li><a href="https://github.com/indutny/elliptic/commit/ec735edde187a43693197f6fa3667ceade751a3a"><code>ec735ed</code></a> utils: leak less information in <code>getNAF()</code></li> <li><a href="https://github.com/indutny/elliptic/commit/71e4e8e2f5b8f0bdbfbe106c72cc9fbc746d3d60"><code>71e4e8e</code></a> 6.5.1</li> <li><a href="https://github.com/indutny/elliptic/commit/7ec66ffa255079260126d87b1762a59ea10de5ea"><code>7ec66ff</code></a> short: add infinity check before multiplying</li> <li><a href="https://github.com/indutny/elliptic/commit/ee7970b92f388e981d694be0436c4c8036b5d36c"><code>ee7970b</code></a> travis: really move on</li> <li><a href="https://github.com/indutny/elliptic/commit/637d0216b58de7edee4f3eb5641295ac323acadb"><code>637d021</code></a> travis: move on</li> <li><a href="https://github.com/indutny/elliptic/commit/5ed0babb6467cd8575a9218265473fda926d9d42"><code>5ed0bab</code></a> package: update deps</li> <li>Additional commits viewable in <a href="https://github.com/indutny/elliptic/compare/v6.4.1...v6.5.3">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+13 -9

0 comment

1 changed file

dependabot[bot]

pr closed time in 2 months

PR opened microsoft/Microsoft-threat-protection-Hunting-Queries

Added 3 files for cve-2019-0808

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series: #145, #155, #163, #165, #168, #169, #170, #172, #173 , #174, #175, #177, #178, #182, #183, #190, #191, #192, #195, #196 #198

+155 -0

0 comment

3 changed files

pr created time in 2 months

push eventmartyav/Microsoft-threat-protection-Hunting-Queries

push time in 2 months

more