Skip to content

Instantly share code, notes, and snippets.

@b401

b401/advanced_hunting.md

Created February 15, 2022 11:21
Show Gist options
  • Save b401/084c21f6fd52dec5251bcbc2010db1f8 to your computer and use it in GitHub Desktop.
Save b401/084c21f6fd52dec5251bcbc2010db1f8 to your computer and use it in GitHub Desktop.
Download ZIP
Microsoft Advanced Hunting encoding
Raw
advanced_hunting.md

// https://security.microsoft.com/apiproxy/mtp/huntingService/queries/encode

Advanced hunting encodes the query for sharing purposes.

  1. \x00 gets added to every second position in the query (DeviceEvents => D\x00e\x00v\x00...)
  2. Query gets gzip compressed
  3. Compressed query gets base64 encoded with a limited character set.
  4. Position 5 - 13 gets replaced with 'A'

You can now send the encoded query through https://security.microsoft.com/v2/advanced-hunting?query={add query here}&timeRangeId=week

Python code:

    from base64 import urlsafe_b64encode
    import gzip
    rule = f"{chr(0)}".join(rule)
    rule = f"{rule}{chr(0)}"
    gzip_rule = gzip.compress(rule.encode())
    encoded = urlsafe_b64encode(gzip_rule).decode()
    return encoded[:4] + "AAAAAAAAA" + encoded[13:]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment