MDE - Host Advanced Hunting

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature based on the provided inputs.

Microsoft Defender for Endpoint · 32 tasks · 8 inputs · 23 outputs

Inputs

  • FileSha1 — A comma-separated list of file SHA1 hashes to hunt.
  • FileSha256 — A comma-separated list of file Sha256 hashes to hunt.
  • IP — A comma-separated list of IPs to hunt.
  • DeviceName — A comma-separated list of host names to hunt.
  • FileName — A comma-separated list of file names to hunt.
  • DeviceID — A comma-separated list of device ID to hunt.
  • FileMd5 — A comma-separated list of file MD5 hashes to hunt.
  • QueryBatch — Define the custom queries you would like to run as a part of the 'MDE - Host Advanced Hunting' playbook. This input will be passed to the 'query_batch' argument in the '!microsoft-atp-advanced-hunting' command. For more information and examples, check the command's hints.

Outputs

  • MicrosoftATP.HuntTampering — The query results for hunt tampering.
  • MicrosoftATP.HuntTampering.Result — The query results.
  • MicrosoftATP.HuntPrivilegeEscalation — The query results for hunt privilege escalation.
  • MicrosoftATP.HuntPrivilegeEscalation.Result — The query results.
  • MicrosoftATP.HuntLateralMovementEvidence.Result — The query results for hunt lateral movement evidence.
  • MicrosoftATP.HuntLateralMovementEvidence.Result.network_connections — Query results from the Microsoft Defender For Endpoint Advanced Hunting on network connections.
  • MicrosoftATP.HuntLateralMovementEvidence.Result.smb_connections — Query Results from the Microsoft Defender For Endpoint Advanced Hunting on SMB connections.
  • MicrosoftATP.HuntLateralMovementEvidence.Result.credential_dumping — Query results from the Microsoft Defender For Endpoint Advanced Hunting on credential dumping.
  • MicrosoftATP.HuntLateralMovementEvidence.Result.management_connection — Query results from the Microsoft Defender For Endpoint Advanced Hunting on management connections.
  • MicrosoftATP.HuntPersistenceEvidence — Query results from the Microsoft Defender For Endpoint Advanced Hunting for hunt lateral movement evidence.
  • MicrosoftATP.HuntPersistenceEvidence.Result — Query results from the Microsoft Defender For Endpoint Advanced Hunting for hunt persistence evidence.
  • MicrosoftATP.HuntPersistenceEvidence.Result.scheduled_job — Query results from the Microsoft Defender For Endpoint Advanced Hunting for scheduled jobs.
  • MicrosoftATP.HuntPersistenceEvidence.Result.registry_entry — Query results from the Microsoft Defender For Endpoint Advanced Hunting for registry entries.
  • MicrosoftATP.HuntPersistenceEvidence.Result.startup_folder_changes — Query results from the Microsoft Defender For Endpoint Advanced Hunting for startup folder changes.
  • MicrosoftATP.HuntPersistenceEvidence.Result.new_service_created — Query results from the Microsoft Defender For Endpoint Advanced Hunting for created new services.
  • MicrosoftATP.HuntPersistenceEvidence.Result.service_updated — Query results from the Microsoft Defender For Endpoint Advanced Hunting for updated services.
  • MicrosoftATP.HuntPersistenceEvidence.Result.file_replaced — Query results from the Microsoft Defender For Endpoint Advanced Hunting for replaced files.
  • MicrosoftATP.HuntPersistenceEvidence.Result.new_user — Query results from the Microsoft Defender For Endpoint Advanced Hunting for new users.
  • MicrosoftATP.HuntPersistenceEvidence.Result.new_group — Query results from the Microsoft Defender For Endpoint Advanced Hunting for new groups.
  • MicrosoftATP.HuntPersistenceEvidence.Result.group_user_change — Query results from the Microsoft Defender For Endpoint Advanced Hunting for changes in group users.
  • MicrosoftATP.HuntPersistenceEvidence.Result.local_firewall_change — Query results from the Microsoft Defender For Endpoint Advanced Hunting for changes in the local firewall.
  • MicrosoftATP.HuntPersistenceEvidence.Result.host_file_change — Query results from the Microsoft Defender For Endpoint Advanced Hunting for changes in the host file.
  • MicrosoftATP.File — File information from Microsoft ATP.

Commands used

microsoft-atp-advanced-hunting microsoft-atp-advanced-hunting-lateral-movement-evidence microsoft-atp-advanced-hunting-privilege-escalation microsoft-atp-advanced-hunting-tampering microsoft-atp-get-file-info setIncident

Flowchart

true true true true true true true yes yes Start Start Network Activity Network Activity Privilege Escalation Privilege Escalation PowerShell Analysis PowerShell Analysis Persistence Persistence Mimikatz/Other Lsaas manipulation Mimikatz/Other Lsaas mani... Is the Local Admin Signed to the Device? Is the Local Admin Signed... Defense Evasion Defense Evasion Is there an attempt to disable MS? - microsoft-atp-advanced-hunting-tampering Is there an attempt to di... microsoft-atp-advanced-huntin... Local Admin user was logged in? - microsoft-atp-advanced-hunting-privilege-escalation Local Admin user was logg... microsoft-atp-advanced-huntin... Password manipulation - microsoft-atp-advanced-hunting-lateral-movement-evidence Password manipulation microsoft-atp-advanced-huntin... Done Done Any results? Any results? Raise the severity of the incident and add the "Tempering Action" tag. - setIncident Raise the severity of the... setIncident Add "Credential Dump" tag - setIncident Add "Credential Dump" tag setIncident Any results? Any results? MDE - Host Advanced Hunting For Powershell Executions - MDE - Host Advanced Hunting For Powershell Executions MDE - Host Advanced Hunti... MDE - Host Advanced Hunting F... MDE - Host Advanced Hunting For Persistence - MDE - Host Advanced Hunting For Persistence MDE - Host Advanced Hunti... MDE - Host Advanced Hunting F... MDE - Host Advanced Hunting For Network Activity - MDE - Host Advanced Hunting For Network Activity MDE - Host Advanced Hunti... MDE - Host Advanced Hunting F... Any results? Any results? Add "Local Admin" Tag - setIncident Add "Local Admin" Tag setIncident File Signature Check File Signature Check Gets file information. - microsoft-atp-get-file-info Gets file information. microsoft-atp-get-file-info Any digital signing info? Any digital signing info? Updates the "Signed File" tag and sets the signature incident field. - setIncident Updates the "Signed File"... setIncident Is there a hash? Is there a hash? Check if device information was provided Check if device informati... Custom Batch Queries Custom Batch Queries Run Custom Queries - microsoft-atp-advanced-hunting Run Custom Queries microsoft-atp-advanced-hunting Add "Custom Queries" Tag - setIncident Add "Custom Queries" Tag setIncident Any results? Any results? Are there any batch queries? Are there any batch queries?