forked from SEVENP/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDevice-DetectMacroConnectingtoInternet.kql
43 lines (42 loc) · 1.45 KB
/
Device-DetectMacroConnectingtoInternet.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
//Detect when an Excel macro connects to the internet.
//Some IPs returned shown may be Microsoft telemetry but these events are still worth investigating.
//Microsoft Sentinel query
DeviceNetworkEvents
| where InitiatingProcessFileName contains "excel.exe"
| where InitiatingProcessCommandLine contains ".xlsm" or InitiatingProcessCommandLine contains ".xltm"
//Exclude Microsoft telemetry endpoints
| where RemoteUrl !endswith "outlook.com"
and RemoteUrl !endswith "office.com"
and RemoteUrl !endswith "microsoft.com"
and RemoteUrl !endswith "office365.com"
and RemoteUrl !endswith "live.com"
and RemoteUrl !endswith "office.net"
| where RemoteIPType == "Public"
| project
TimeGenerated,
DeviceName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl
//Advanced Hunting query
DeviceNetworkEvents
| where InitiatingProcessFileName contains "excel.exe"
| where InitiatingProcessCommandLine contains ".xlsm" or InitiatingProcessCommandLine contains ".xltm"
| where RemoteIPType == "Public"
//Exclude Microsoft telemetry endpoints
| where RemoteUrl !endswith "outlook.com"
and RemoteUrl !endswith "office.com"
and RemoteUrl !endswith "microsoft.com"
and RemoteUrl !endswith "office365.com"
and RemoteUrl !endswith "live.com"
and RemoteUrl !endswith "office.net"
| project
Timestamp,
DeviceName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl