KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Macro Connectingto Internet

Query

//Detect when an Excel macro connects to the internet. 
//Some IPs returned shown may be Microsoft telemetry but these events are still worth investigating.

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceNetworkEvents
| where InitiatingProcessFileName contains "excel.exe"
| where InitiatingProcessCommandLine contains ".xlsm" or InitiatingProcessCommandLine contains ".xltm"
//Exclude Microsoft telemetry endpoints 
| where RemoteUrl !endswith "outlook.com" 
    and RemoteUrl !endswith "office.com"
    and RemoteUrl !endswith "microsoft.com"
    and RemoteUrl !endswith "office365.com"
    and RemoteUrl !endswith "live.com"
    and RemoteUrl !endswith "office.net"
| where RemoteIPType == "Public"
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessCommandLine,
    LocalIP,
    RemoteIP,
    RemotePort,
    RemoteUrl

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceNetworkEvents
| where InitiatingProcessFileName contains "excel.exe"
| where InitiatingProcessCommandLine contains ".xlsm" or InitiatingProcessCommandLine contains ".xltm"
| where RemoteIPType == "Public"
//Exclude Microsoft telemetry endpoints 
| where RemoteUrl !endswith "outlook.com" 
    and RemoteUrl !endswith "office.com"
    and RemoteUrl !endswith "microsoft.com"
    and RemoteUrl !endswith "office365.com"
    and RemoteUrl !endswith "live.com"
    and RemoteUrl !endswith "office.net"
| project
    Timestamp,
    DeviceName,
    InitiatingProcessCommandLine,
    LocalIP,
    RemoteIP,
    RemotePort,
    RemoteUrl

Explanation

This query is used to detect when an Excel macro connects to the internet. It filters the DeviceNetworkEvents table for events where the InitiatingProcessFileName contains "excel.exe" and the InitiatingProcessCommandLine contains either ".xlsm" or ".xltm". It excludes Microsoft telemetry endpoints and only includes events with a RemoteIPType of "Public". The query then projects the TimeGenerated, DeviceName, InitiatingProcessCommandLine, LocalIP, RemoteIP, RemotePort, and RemoteUrl fields.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,InitiatingProcessFileName,InitiatingProcessCommandLine,RemoteUrl,RemoteIPType,RemoteUrl,RemoteIP,RemotePort,TimeGenerated,DeviceName,LocalIP,Timestamp

Operators

wherecontainsor!endswithand==project

Actions