Follina
Query
Follina Detection
----------
// Sources: https://www.reddit.com/r/blueteamsec/comments/v0wgqh/sentinel_kql_detections_for_microsoft_word_zero/ & https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql
(union isfuzzy=true
(DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe"
| where InitiatingProcessFileName has_any (@"outlook.exe", @"winword.exe", @"excel.exe")),
(DeviceProcessEvents
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"),
(DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
and RemoteUrl !endswith ".visualstudio.com"
and RemoteUrl !endswith ".microsoft.com")
)Explanation
This query is looking for potential instances of the Follina exploit. It searches for events where the process command line contains "msdt.exe" and the initiating process is either "outlook.exe", "winword.exe", or "excel.exe". It also looks for events where the initiating process command line contains "msdt.exe" but the process command line does not contain "msdt.exe". Additionally, it searches for network events where the initiating process file name is either "sdiagnhost.exe" or "msdt.exe", the remote IP type is "Public", the action type is "ConnectionSuccess", and the remote URL does not end with ".visualstudio.com" or ".microsoft.com".
Details

Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceProcessEventsDeviceNetworkEvents
Keywords
DevicesIntuneUser
Operators
unionisfuzzywherecontainshas_anyand!containsRemoteIPType=="Public"ActionType"ConnectionSuccess"!endswith