Skip to content

Instantly share code, notes, and snippets.

@f-bader

f-bader/advanced_hunting.md

Forked from b401/advanced_hunting.md
Created July 24, 2025 11:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save f-bader/920020c140603efccc2e9182fbcae9ae to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save f-bader/920020c140603efccc2e9182fbcae9ae to your computer and use it in GitHub Desktop.
Download ZIP
Microsoft Advanced Hunting encoding
Raw
advanced_hunting.md

// https://security.microsoft.com/apiproxy/mtp/huntingService/queries/encode

Advanced hunting encodes the query for sharing purposes.

  1. \x00 gets added to every second position in the query (DeviceEvents => D\x00e\x00v\x00...)
  2. Query gets gzip compressed
  3. Compressed query gets base64 encoded with a limited character set.
  4. Position 5 - 13 gets replaced with 'A'

You can now send the encoded query through https://security.microsoft.com/v2/advanced-hunting?query={add query here}&timeRangeId=week

Python code:

    from base64 import urlsafe_b64encode
    import gzip
    rule = f"{chr(0)}".join(rule)
    rule = f"{rule}{chr(0)}"
    gzip_rule = gzip.compress(rule.encode())
    encoded = urlsafe_b64encode(gzip_rule).decode()
    return encoded[:4] + "AAAAAAAAA" + encoded[13:]
@umnav
Copy link

umnav commented Jul 31, 2025

I can't seem to figure out how to write code to decrypt queries based on this :/
Would you be able to help by any chance? Thanks in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment