Query Details

Asr Executable Office Content

Query

// To prevent False Positives a FilePrevalanceThreshold is used.
let FilePrevalanceThreshold = 100;
DeviceEvents
// Filter on the specific ActionTypes
| where ActionType in~ ('AsrExecutableOfficeContentAudited', 'AsrExecutableOfficeContentBlocked')
// Enrich results with File information
| invoke FileProfile('SHA1', 10000)
| where GlobalPrevalence <= FilePrevalanceThreshold
| project Timestamp, DeviceName, DeviceId, InitiatingProcessAccountUpn, FileName, FolderPath, ActionType, Signer, GlobalFirstSeen, GlobalPrevalence, SHA1, InitiatingProcessCommandLine, InitiatingProcessFolderPath

About this query

Explanation

This query is designed to detect potentially malicious activities related to Office applications (like Word, Excel, and PowerPoint) creating executable content, which could be used by attackers to maintain persistence on a system. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify instances where Office applications might be used to create executable files that could be harmful. This is a known technique for attackers to maintain persistence on a system by having malicious components that survive reboots.

  2. MITRE ATT&CK Technique: It relates to the "Office Application Startup" technique (T1137), which involves using Office applications to execute malicious code.

  3. Query Details:

    • File Prevalence Threshold: The query uses a threshold to avoid false positives by considering only files that are not commonly seen (less than 100 occurrences globally).
    • Action Types: It looks for specific actions where executable content creation by Office apps was either audited or blocked.
    • File Information: The query enriches the results with file details, including the file's global prevalence, to help determine if the file is suspicious.
  4. Risk: If a malicious Office application runs successfully, it could allow an attacker to gain persistence on the system.

  5. Execution:

    • Defender XDR: The query is best run in Microsoft Defender for Endpoint (MDE) because it uses the FileProfile function, which isn't supported in Sentinel.
    • Sentinel: A similar query can be run in Sentinel, but without the file prevalence filtering.

Overall, this query is part of a security measure to prevent and detect malicious activities involving Office applications creating executable content, which could be used by attackers to compromise systems.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2025

Tables

DeviceEvents

Keywords

DeviceEventsFileInformationOfficeApplicationsPersistenceMaliciousCodeSecurity

Operators

letin~invokewhere<=project

MITRE Techniques

Actions

GitHub