Following on the heels of our recent partnership announcement with Microsoft, which you can read about on our site here (http://www.prweb.com/releases/2017/11/prweb14887733.htm), our Ziften Security Research team has started leveraging a very cool component of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run queries against the data that has been sent by products and tools, such as Ziften, to find interesting behaviors quickly. These queries can be saved and shared amongst the community of Windows Defender ATP users and even more broadly within the Github repository located here (https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/).
We have added a handful of shared queries so far, but the results are quite interesting, and we love the ease of use of the hunting interface. Since Ziften sends endpoint data collected from Linux and macOS systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to showcase the complete coverage of the platform.
You can access the Advanced Hunting interface by selecting the database icon on the left-hand side as shown below.
Figure 1: Microsoft Windows Defender Security Center Advanced Hunting
You can see the high-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some recent malware within our Redlab and created some queries to find that data and generate the results for investigation. One such sample was OceanLotus (https://www.scmagazineuk.com/oceanlotus-hacker-group-launches-malicious-macos-backdoor/article/756378/). We created a couple of queries to find both the dropper and files associated with this threat. After running the queries, you get results with which you can interact with.
Upon inspection of the results, we see some systems that have exhibited the searched for behavior. When you select these systems, you can view the details of the particular system in question. From there you can view alerts triggered and an event timeline. Details from the malicious process are shown below.
Figure 2: Machine Timeline View in Windows Defender Security Center
Additional behavior-based queries can also be run. For example, we executed another malicious sample which leveraged a couple of techniques that we queried. The screenshot below shows a query we ran when looking for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is certainly something you would want to know is happening within your environment.
Figure 3: Additional Advanced Hunting in Windows Defender Security Center
From these query results, you can again select the system in question and further investigate the suspicious behaviors.
Figure 4: System Event View in Windows Defender Security Center
This blog certainly doesn’t serve as an in-depth tutorial on using the Advanced Hunting feature within the Windows Defender Advanced Threat Protection platform. But we wanted to put something together quickly to share our excitement about how easy it is to leverage this feature to conduct your own custom threat hunting in a multi-system environment, and across Windows, macOS and Linux systems.
We look forward to sharing more of our experimentation and research using queries built using the Advanced Hunting feature. We share our successes with everyone here, so stay tuned.
In the meantime, if you’d like to learn more about the Ziften Zenith and Microsoft Windows Defender ATP integration for endpoint detection and response on Wndows, macOS and Linux systems, you can go here (https://ziften.com/microsoft-and-ziften/).