KQL Search

Query Details

HomeAI ToolsDevice Query

Asr Office Child Process Audited Query

Query

# Rule : Detection of Office Child Processes Through ASR

## Description
This detection rule identifies child processes spawned by Microsoft Office applications that have been audited by Advanced Security Rules (ASR), excluding `onedrive.exe`. Monitoring for child processes created by Office applications is crucial because malicious actors often use Office macros to launch additional processes to execute malicious payloads. By excluding known and trusted processes like OneDrive, this rule focuses on identifying potentially suspicious activities that could compromise the system.

This rule helps identify and audit unusual child processes initiated by Office applications, providing an early warning for potential malicious activities.

## Detection Logic
- Monitors `DeviceEvents` for events where:
  - The `ActionType` is "AsrOfficeChildProcessAudited".
  - The `FileName` is not "onedrive.exe".

## Tags
- Office Security
- Child Processes
- Macro Security
- Malware
- Advanced Security Rules (ASR)
- Suspicious Activity

## Search Query
```kql
DeviceEvents 
| where ActionType == "AsrOfficeChildProcessAudited"
| where FileName != "onedrive.exe"
```

Explanation

This query is designed to detect potentially suspicious activities by monitoring child processes created by Microsoft Office applications. Here's a simplified summary:

  • Purpose: To identify and audit unusual child processes spawned by Office applications, excluding the trusted process onedrive.exe.
  • Why It Matters: Malicious actors often use Office macros to launch harmful processes. By focusing on these child processes, the rule aims to catch early signs of malicious activity.
  • How It Works:
    • It looks at DeviceEvents where the ActionType is "AsrOfficeChildProcessAudited".
    • It filters out any events where the FileName is "onedrive.exe".

Search Query Breakdown

DeviceEvents 
| where ActionType == "AsrOfficeChildProcessAudited"
| where FileName != "onedrive.exe"
  • DeviceEvents: The dataset being queried.
  • ActionType == "AsrOfficeChildProcessAudited": Filters for events where Office applications have created child processes that are audited by Advanced Security Rules.
  • FileName != "onedrive.exe": Excludes events where the child process is onedrive.exe, focusing on potentially suspicious processes.

Tags

  • Office Security: Related to securing Microsoft Office applications.
  • Child Processes: Focuses on processes initiated by other applications.
  • Macro Security: Involves security related to Office macros.
  • Malware: Pertains to detecting malicious software.
  • Advanced Security Rules (ASR): Uses advanced security auditing rules.
  • Suspicious Activity: Aims to identify potentially harmful actions.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 15, 2024

Tables

DeviceEvents

Keywords

DeviceEventsOfficeSecurityChildProcessesMacroSecurityMalwareAdvancedSecurityRulesSuspiciousActivity

Operators

==!=|

Actions