Microsoft Advanced Hunting encoding

advanced_hunting.md

// https://security.microsoft.com/apiproxy/mtp/huntingService/queries/encode

Advanced hunting encodes the query for sharing purposes.

1. \x00 gets added to every second position in the query (DeviceEvents => D\x00e\x00v\x00...)
2. Query gets gzip compressed
3. Compressed query gets base64 encoded with a limited character set.
4. Position 5 - 13 gets replaced with 'A'

You can now send the encoded query through https://security.microsoft.com/v2/advanced-hunting?query={add query here}&timeRangeId=week

Python code:

    from base64 import urlsafe_b64encode
    import gzip
    rule = f"{chr(0)}".join(rule)
    rule = f"{rule}{chr(0)}"
    gzip_rule = gzip.compress(rule.encode())
    encoded = urlsafe_b64encode(gzip_rule).decode()
    return encoded[:4] + "AAAAAAAAA" + encoded[13:]

@umnav

In python:

from base64 import urlsafe_b64decode
import gzip

query = "H4sIAE64i2gAA3NhSGUoY8hkSAbSngx5DGkM-Qy8DFwMNQwKDCUMiQzZQHEFBkMGAMyCPjooAAAA"

# add padding if missing
missing = len(query) % 4
if missing:
    query += "=" * (4 - missing)

# base64 decode it
decode = urlsafe_b64decode(query)
# decompress gzip string
decompress = gzip.decompress(decode)
# decode to UTF16-LE
cleartext_query = decompress.decode("utf-16le")

print(cleartext_query)

In cyberchef: https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Gunzip()Decode_text('UTF-16LE%20(1200)')&input=SDRzSUFPaXppMmdBQTNOaFNHVW9ZOGhrU0FiU3JrQldLa01lUXdsRE1RTXZBeGRERFlNQ2tKM0lrQTBVVldBd1pBQUFpTTlIVGl3QUFBQQ&oenc=65001&oeol=CRLF

Hope that helps :)