KQL Search

Query Details

HomeAI ToolsDevice Query

Follina

Query

Follina Detection
----------
    // Sources: https://www.reddit.com/r/blueteamsec/comments/v0wgqh/sentinel_kql_detections_for_microsoft_word_zero/ & https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql
    (union isfuzzy=true
    (DeviceProcessEvents
    | where ProcessCommandLine contains "msdt.exe"
    | where InitiatingProcessFileName has_any (@"outlook.exe", @"winword.exe", @"excel.exe")),
    (DeviceProcessEvents
    | where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"),
    (DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
    | where RemoteIPType == "Public"
    | where ActionType == "ConnectionSuccess"
    and RemoteUrl !endswith ".visualstudio.com"
    and RemoteUrl !endswith ".microsoft.com")
    )

Explanation

This query is looking for potential instances of the Follina exploit. It searches for events where the process command line contains "msdt.exe" and the initiating process is either "outlook.exe", "winword.exe", or "excel.exe". It also looks for events where the initiating process command line contains "msdt.exe" but the process command line does not contain "msdt.exe". Additionally, it searches for network events where the initiating process file name is either "sdiagnhost.exe" or "msdt.exe", the remote IP type is "Public", the action type is "ConnectionSuccess", and the remote URL does not end with ".visualstudio.com" or ".microsoft.com".

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

unionisfuzzywherecontainshas_anyand!containswherehas_anywhereRemoteIPType=="Public"whereActionType=="ConnectionSuccess"and!endswith!endswith

Actions