Releases · microsoft/Microsoft-365-Defender-Hunting-Queries

This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

22 Apr 08:55

434dc39

Merge pull request #105 from pasilva-msft/patch-1

Change from AccountName To AccountSid

Assets 3

22 Apr 08:52

VSC-Service-Account

140407

163db56

MDATP Advanced Hunting sample queries

Merge pull request #114 from anvascon/patch-1

Update WD AV Signature and Platform Version.txt

Assets 3

22 Apr 08:50

VSC-Service-Account

140405

b31f46c

MDATP Advanced Hunting sample queries

Merge pull request #113 from rosenmoore/master

improve detection of use of net.exe on CLI

Assets 3

22 Apr 08:46

VSC-Service-Account

140401

2146930

MDATP Advanced Hunting sample queries

Merge pull request #71 from anthonws/master

PUA ThreatName Per Computer

Assets 3

22 Apr 08:33

VSC-Service-Account

140397

e437abd

MDATP Advanced Hunting sample queries

Merge pull request #65 from FlyingBlueMonkey/patch-1

Create ExploitGuardNetworkProtectionEvents.txt

Assets 3

05 Jan 15:18

VSC-Service-Account

111725

5aa4bb9

MDATP Advanced Hunting sample queries

Merge pull request #104 from makislev/master

Update github queries to use the new advanced hunting device schema

Assets 3

11 Dec 20:27

VSC-Service-Account

105758

00dabae

MDATP Advanced Hunting sample queries

Exclude Engine Updates and Empty lines (#101)

* Exclude Engine Updates and Empty lines

This excludes engine updates (so really only signature updates are shown) and excludes empty lines.

Engine Updates where in the result set due to entries like this:

MpSigStub.exe /stub 1.1.16500.1 /payload 1.1.16500.1 /MpWUStub /program C:\windows\SoftwareDistribution\Download\Install\AM_Engine.exe /LastPackage

AM_Engine.exe is the file name of engine updates.

Empty results came from this command line "MpSigStub.exe /Store" and the corresponding file name is wuauclt.exe

* Removed case sensitivity

Assets 3