Use the below query to detect Windows Defender exclusion changes.
// T1562.001 - Impair Defenses: Disable or Modify Tools
Alex Verboon alexverboon
alexverboon
/ localgroupmembershipchanges.kql
Created
September 6, 2020 08:14
Hunting for local group membership changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let ADAZUsers = IdentityInfo | |
| | extend DirectoryDomain = AccountDomain | |
| | extend DirectoryAccount = AccountName | |
| | distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname; | |
| // check for any new created or modified local accounts | |
| let NewUsers = DeviceEvents | |
| | where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified" | |
| | extend lUserAdded = AccountName | |
| | extend NewUserSID = AccountSid | |
| | extend laccountdomain = AccountDomain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DefenderATPStatus | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get-DefenderATPStatus | |
| .DESCRIPTION | |
| Get-DefenderATPStatus retrieves the status of Windows Defender ATP | |
| .PARAMETER Computername |
alexverboon
/ T1562.001 - Defender Exclusions modification.md
Last active
August 14, 2023 07:47
T1562.001 - Defender Exclusions modification
alexverboon
/ lolbinsnetworkpublic.kql
Created
May 16, 2021 14:39
Hunt for lolbins connecting to public ip addresses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents | |
| // T1218 Living of the land binaries connecting to the internet | |
| // network activities with lolbins | |
| DeviceNetworkEvents | |
| | where RemoteIPType == 'Public' | |
| | where InitiatingProcessFileName contains "Atbroker.exe" or | |
| InitiatingProcessFileName contains "Bash.exe" or | |
| InitiatingProcessFileName contains "Bitsadmin.exe" or | |
| InitiatingProcessFileName contains "Certutil.exe" or | |
| InitiatingProcessFileName contains "Cmdkey.exe" or |
alexverboon
/ c2threadview_io_kql.md
Last active
June 30, 2023 15:54
C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // code used in https://www.verboon.info/2019/11/how-to-generate-a-monthly-defender-atp-threat-and-vulnerability-report/ | |
| DeviceTvmSoftwareInventoryVulnerabilities | |
| | project DeviceName, SoftwareName, CveId, SoftwareVersion, VulnerabilitySeverityLevel | |
| | join (DeviceTvmSoftwareVulnerabilitiesKB | |
| | project AffectedSoftware, VulnerabilityDescription , CveId , CvssScore , IsExploitAvailable | |
| ) | |
| on CveId | |
| | project CveId , SoftwareName , SoftwareVersion , VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable , CvssScore | |
| | distinct SoftwareName , SoftwareVersion, CveId, VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable | |
| | sort by SoftwareName asc , SoftwareVersion |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Export-CMScriptResults | |
| { | |
| <# | |
| .Synopsis | |
| Export-CMScriptResults | |
| .DESCRIPTION | |
| Export-CMScriptResults exports the return values from scripts that are executed | |
| through the ConfigMgr Run Script feature. | |
| .PARAMETER ScriptName | |
| The name of the Script as it is displayed within the ConfigMgr Console. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #============================================================================ | |
| # | |
| # Copyright (c) 2021 Microsoft Corporation. All rights reserved. | |
| # | |
| # Abstract: | |
| # MDE installation script | |
| # - Fingerprinting OS and manually installs MDE as described in the online documentation | |
| # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide |
alexverboon
/ Import-SecurityBaselineGPO.ps1
Created
October 7, 2019 18:57
Import-SecurityBaselineGPO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Import-SecurityBaselineGPO | |
| <# | |
| .Synopsis | |
| Import-SecurityBaselineGPO | |
| .DESCRIPTION | |
| Import-SecurityBaselineGPO | |
| .PARAMETER GPOBackupPath | |
| The path that constains the Security baselines GPO backup | |
| .EXAMPLE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector | |
| // The calculation is done as following: | |
| // 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents' | |
| // 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents" | |
| // 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client | |
| // 4 finally 'uniion' all tables | |
| let xagotime = 32d; | |
| let xstarttime = 31d; | |
| // File Events |
NewerOlder