Detecting Teams Red Team Tool Convo C2
Query
// Detecting Teams Red Team Tool ConvoC2
// https://cybersecuritynews.com/red-team-tool-to-executes-commands-via-ms-teams/amp/
// DefendXDR Detection
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Teams"
| where ActionType == @"AppInstalled"
| where parse_json(RawEventData)["AddOnName"] == 'Workflows'Explanation
This KQL (Kusto Query Language) query is designed to detect a specific event related to Microsoft Teams within the last hour. Here's a simple breakdown:
-
Data Source: The query is looking at
CloudAppEvents, which is a log of events related to cloud applications. -
Time Frame: It filters events to only include those that occurred in the past hour (
Timestamp > ago(1h)). -
Application Filter: It specifically focuses on events related to
Microsoft Teams(Application == @"Microsoft Teams"). -
Action Type: It looks for events where an application was installed (
ActionType == @"AppInstalled"). -
Specific Add-On: Finally, it checks if the installed add-on is named 'Workflows' by parsing the
RawEventDatato find theAddOnName.
In summary, this query is detecting if the 'Workflows' add-on was installed in Microsoft Teams within the last hour, which could be relevant for identifying potential use of a Red Team tool as described in the linked article.
Details

Steven Lim
Released: December 11, 2024
Tables
Keywords
Operators