forked from SEVENP/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathVuln-CVE-2021-40444.kql
18 lines (18 loc) · 1.14 KB
/
Vuln-CVE-2021-40444.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
//CVE-2021-40444 hunting. Find device mshtml image load events initiated by common Office executables, then retrieve process events from the device in the same time period where the initiating process is an Office executable, but the process is different
let process = dynamic(["winword.exe", "wordview.exe", "wordpad.exe", "powerpnt.exe", "excel.exe"]);
DeviceImageLoadEvents
| where FileName in ("mshtml.dll", "Microsoft.mshtml.dll")
| where InitiatingProcessFileName in~ (process)
| project ImageLoadTime=TimeGenerated, DeviceName, InitiatingProcessFolderPath,
InitiatingProcessParentFileName, InitiatingProcessParentCreationTime,
InitiatingProcessCommandLine
| join kind=inner (
DeviceProcessEvents)
on DeviceName
| extend ProcessTime = TimeGenerated
| extend FileNameLower = tolower(FileName)
| extend InitiatingFileNameLower = tolower(InitiatingProcessFileName)
| where InitiatingProcessFileName in~ (process)
| where FileNameLower != InitiatingFileNameLower
| where ProcessTime between ((ImageLoadTime-timespan(5min)).. (ImageLoadTime+timespan(5min)))
| project ImageLoadTime, ProcessTime, DeviceName, InitiatingProcessFileName, FileName