Performing threat hunting is an essential task for any security team that wants to stay ahead of the ever-evolving cybersecurity landscape. By proactively searching for potential threats and vulnerabilities, organizations can identify and mitigate security risks before they turn into major incidents.
One way to perform threat hunting is by using Microsoft Defender for Endpoint’s advanced hunting capabilities. In this blog post, we will explore how to use advanced hunting to find ransomware and query emails and devices.
Ransomware is a type of malware that encrypts a victim’s files and demands payment in exchange for the decryption key. Advanced hunting can help security teams to identify and respond to ransomware attacks before they cause significant damage.
To find ransomware using advanced hunting in Microsoft Defender for Endpoint, follow these steps:
Open the Microsoft Defender Security Center and select Advanced hunting under Hunting in the left-hand menu.
In the query bar, type the following query to search for ransomware:
DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "mshta.exe"
| where FileName endswith "README.TXT" or FileName endswith "README.HTML" or FileName endswith "README.PNG"
| summarize count() by DeviceName, bin(Timestamp, 1h)
| order by count_ desc
This query searches for devices that have experienced file events related to ransomware in the past seven days. It looks for the mshta.exe process, which is commonly used by ransomware, and files with names that typically indicate the presence of ransomware, such as README.TXT, README.HTML, and README.PNG.
Click Run query to execute the query and view the results. You can then use the results to identify affected devices and take remediation actions as needed.
Advanced hunting can also be used to query emails and devices for potential security risks. For example, you can search for devices that have accessed a compromised email account or emails containing suspicious attachments.
To query emails and devices using advanced hunting in Microsoft Defender for Endpoint, follow these steps:
Open the Microsoft Defender Security Center and select Advanced hunting under Hunting in the left-hand menu.
In the query bar, type the following query to search for emails containing suspicious attachments:
EmailEvents
| where AttachmentNames has_any("*.exe", "*.dll", "*.scr")
| summarize count() by RecipientEmailAddress, bin(Timestamp, 1h)
| order by count_ desc
This query searches for emails containing attachments with file extensions commonly used by malware, such as .exe, .dll, and .scr. It then summarizes the count of events by recipient email address and hour.
Click Run query to execute the query and view the results. You can then use the results to identify potentially compromised email accounts and take remediation actions as needed.
By using advanced hunting to perform threat hunting, security teams can identify and respond to potential security risks more effectively. Whether searching for ransomware or querying emails and devices for suspicious activity, advanced hunting in Microsoft Defender for Endpoint is a powerful tool for staying ahead of cyber threats.
In conclusion, threat hunting is a vital component of any effective security strategy. By proactively searching for potential threats and vulnerabilities, organizations can identify and remediate security risks before they turn into major incidents. Microsoft Defender for Endpoint’s advanced hunting capabilities provide a powerful tool for performing threat hunting, and the ability to search for ransomware and query emails and devices for potential security risks can help security teams to stay ahead of evolving cyber threats.
Threat hunting is the practice of proactively searching for threats and identifying and remediating them before they cause harm.
Microsoft Defender for Endpoint provides a powerful toolset for threat hunting, including Advanced Hunting, which allows you to query your data to identify threats and remediate them.
Ransomware is a type of malware that encrypts a victim’s files and demands payment in exchange for the decryption key.
You can use Advanced Hunting to query your data for indicators of ransomware, such as file extensions commonly associated with ransomware, and investigate any suspicious activity.
By proactively searching for ransomware, you can identify and remediate it before it causes harm to your organization.
You can use Advanced Hunting to query your email and device data for suspicious activity, such as emails with malicious attachments or devices with outdated software.
By proactively searching for suspicious activity in emails and devices, you can identify and remediate potential threats before they cause harm to your organization.
DeviceEvents | where ActionType == “RansomwareDetection” | project Timestamp, DeviceName, DeviceId, UserDisplayName, FilePath
EmailEvents | where AttachmentFileName endswith “.exe” or AttachmentFileName endswith “.dll” or AttachmentFileName endswith “.pif” or AttachmentFileName endswith “.vbs” | project TimeGenerated, Subject, SenderFromAddress, RecipientToAddress, AttachmentFileName, AttachmentType
By proactively searching for suspicious activity and using data analysis tools, such as machine learning and behavioral analytics, you can identify new and emerging threats that may not yet have established signatures or known indicators.
