Query Details
CVE 2024 38112 ZERO DAY TRICKS IN Dot URL TO LURE VICTIMS
Query
// CVE-2024-38112 ZERO-DAY TRICKS IN dot URL TO LURE VICTIMS // https://www.linkedin.com/posts/activity-7217706847808499713-AGPd/ Defenders using Sentinel or DefenderXDR can create the below MDE KQL detection to monitor such attack from Outlook and Teams: DeviceFileEvents | where ActionType == "FileCreated" | where FileName endswith ".url" or FileName endswith ".URL" | where InitiatingProcessFileName contains "outlook.exe" or InitiatingProcessFileName contains "teams.exe"
Explanation
This KQL query is designed to help cybersecurity defenders using Microsoft Sentinel or DefenderXDR to detect a specific type of attack related to CVE-2024-38112. Here's a simple summary of what the query does:
- Monitors File Creation Events: It looks at events where files are created on devices.
- Focuses on URL Files: It specifically filters for files that have a ".url" or ".URL" extension.
- Checks for Specific Programs: It further narrows down the search to files created by processes associated with "outlook.exe" or "teams.exe".
In essence, this query helps identify potentially malicious URL files that are created through Microsoft Outlook or Teams, which could be part of an attack exploiting the mentioned vulnerability.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceFileEvents
Keywords
Devices
Operators
==endswithorcontains