Query Details

Find all the connections that have been made by Office from a compromised device.

MDE Connections Made By Office Compromised Device

Query

let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache';
let CompromisedDevice = "laptop1";
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "RegistryValueSet"
| where RegistryKey contains ConnectionsMadeByOfficeRegKey
| extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1)
| extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey)
| project-reorder Domain, Connection

About this query

Find all the connections that have been made by Office from a compromised device.


Defender XDR

let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache';
let CompromisedDevice = "laptop1";
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "RegistryValueSet"
| where RegistryKey contains ConnectionsMadeByOfficeRegKey
| extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1)
| extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey)
| project-reorder Domain, Connection

Sentinel

Explanation

This query is designed to identify network connections made by Microsoft Office applications from a specific compromised device, named "laptop1," within the last 7 days. It does this by examining registry events that indicate when Office applications have stored information about servers they have connected to. Here's a breakdown of what the query does:

  1. Define Variables:

    • ConnectionsMadeByOfficeRegKey: This is the registry path where Office stores information about servers it has connected to.
    • CompromisedDevice: The name of the device that is suspected to be compromised, in this case, "laptop1."
    • SearchWindow: The time frame for the search, set to the last 7 days.
  2. Filter Events:

    • The query looks at DeviceRegistryEvents, which logs changes to the registry.
    • It filters these events to only include those that occurred within the last 7 days (SearchWindow).
    • It further narrows down to events from the specific compromised device (DeviceName == CompromisedDevice).
    • It only considers events where a registry value was set (ActionType == "RegistryValueSet").
    • It specifically looks for registry keys that contain the path defined in ConnectionsMadeByOfficeRegKey.
  3. Extract Information:

    • The query extracts the connection details from the registry key by splitting the key at the specified path.
    • It also extracts the domain name from the registry key using a regular expression.
  4. Output:

    • The results are reordered to show the domain and connection details.

This query helps in identifying potentially malicious or unauthorized connections made by Office applications from a compromised device, which can be crucial for security investigations.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceRegistryEvents

Keywords

ConnectionsDeviceOfficeDomainRegistry

Operators

letagowherecontainsextendsplitextractproject-reorder

Actions

GitHub