Skip to main content

Workflow Template: Endpoint Persistence Threat Hunting via Microsoft Defender XDR

Runs Threat Hunting KQL queries in Microsoft Defender XDR to detect host-based persistence techniques across endpoints.

The "Endpoint Persistence Threat Hunting via Microsoft Defender XDR" workflow template is designed for security teams to detect host-based persistence techniques across endpoints using Microsoft Defender XDR. By leveraging KQL queries, this workflow hunts for suspicious activities such as scheduled tasks, startup folder changes, new services, and registry modifications. It aggregates findings into a structured output, aiding in comprehensive threat analysis and enhancing endpoint detection and response capabilities.

Take Me to the Template

Use Cases

Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. If hash + device ID available: hunt scheduled tasks, startup folder, new services, service registry keys, and renamed system files.

  2. If hash + device ID + file name available: hunt persistence registry keys (Run, RunOnce, Winlogon, Services, Shell Folders).

  3. If device ID or device name available: hunt new local users, new groups, group membership changes, firewall rule changes, and hosts file modifications.

  4. 5. Aggregate all hunt results into a structured output with hit/count/results per technique category.

Vendors

Utils, Microsoft 365

Workflow Output

hash_device_findings, registry_findings, device_findings - each with hit boolean, count, and raw KQL results.

Related Articles
Workflow Template: Threat Hunt for a Specified SHA1 Signature in SingularityXDR
Microsoft Defender for Endpoint
Microsoft 365 Defender
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases
Workflow Template: Microsoft Defender for Endpoint Triage HyperAgent
Did this answer your question?