forked from SEVENP/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDevice-msdtPotentialExploit.kql
101 lines (92 loc) · 4.9 KB
/
Device-msdtPotentialExploit.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
//Detections based on the emerging information found here - https://twitter.com/nao_sec/status/1530196847679401984, https://twitter.com/GossiTheDog/status/1531018365606707206 and https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
//Microsoft Sentinel queries
//Search your device process events for msdt.exe being generated by Outlook, Word or Excel - should be low noise and high value alerts, seems very rare behaviour
DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe" and InitiatingProcessCommandLine has_any ("outlook.exe", "winword.exe", "excel.exe")
//Search your device process events for msdt.exe spawning processes other than itself
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
//Likely to get false positives with msdt.exe spawning a process other than itself, so instead look for new events seen today for the first time based on distinct process and parent process
DeviceProcessEvents
| where TimeGenerated > ago (30d) and TimeGenerated < ago(1d)
| project InitiatingProcessCommandLine, ProcessCommandLine
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
| distinct InitiatingProcessCommandLine, ProcessCommandLine
| join kind=rightanti
(
DeviceProcessEvents
| where TimeGenerated > ago (1d)
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
)
on InitiatingProcessCommandLine, ProcessCommandLine
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
//Look for new public connections from "sdiagnhost.exe" or "msdt.exe" as per https://twitter.com/MalwareJake/status/1531088843792957442
//"sdiagnhost.exe" legimitately connects to some internet endpoints as part of Microsoft telemetry so find events new to today to investigate
let knownips=
DeviceNetworkEvents
| where TimeGenerated > ago(30d) and TimeGenerated < ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| distinct RemoteIP;
DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| where RemoteIP !in (knownips)
| project
TimeGenerated,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl
//Advanced Hunting queries
//Search your device process events for msdt.exe being generated by Outlook, Word or Excel - should be low noise and high value alerts, seems very rare behaviour
DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe" and InitiatingProcessCommandLine has_any ("outlook.exe", "winword.exe", "excel.exe")
//Search your device process events for msdt.exe spawning processes other than itself
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
//Likely to get false positives with msdt.exe spawning a process other than itself, so instead look for new events seen today for the first time based on distinct process and parent process
DeviceProcessEvents
| where Timestamp > ago (30d) and Timestamp < ago(1d)
| project InitiatingProcessCommandLine, ProcessCommandLine
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
| distinct InitiatingProcessCommandLine, ProcessCommandLine
| join kind=rightanti
(
DeviceProcessEvents
| where Timestamp > ago (1d)
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
)
on InitiatingProcessCommandLine, ProcessCommandLine
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
//Look for new public connections from "sdiagnhost.exe" or "msdt.exe" as per https://twitter.com/MalwareJake/status/1531088843792957442
//"sdiagnhost.exe" legimitately connects to some internet endpoints as part of Microsoft telemetry so find events new to today to investigate
let knownips=
DeviceNetworkEvents
| where Timestamp > ago(30d) and Timestamp < ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| distinct RemoteIP;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| where RemoteIP !in (knownips)
| where RemoteUrl !endswith ".visualstudio.com" and RemoteUrl !endswith ".microsoft.com"
| project
Timestamp,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl