Query Details
MDE Connections Made By Office Compromised Device
Query
# Find all the connections that have been made by Office from a compromised device. ---- ### Defender For Endpoint ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; let CompromisedDevice = "laptop1"; let SearchWindow = 7d; //Customizable h = hours, d = days DeviceRegistryEvents | where Timestamp > ago(SearchWindow) | where DeviceName == CompromisedDevice | where ActionType == "RegistryValueSet" | where RegistryKey contains ConnectionsMadeByOfficeRegKey | extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1) | extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey) | project-reorder Domain, Connection ``` ### Sentinel ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; let CompromisedDevice = "laptop1"; let SearchWindow = 7d; //Customizable h = hours, d = days DeviceRegistryEvents | where TimeGenerated > ago(SearchWindow) | where DeviceName == CompromisedDevice | where ActionType == "RegistryValueSet" | where RegistryKey contains ConnectionsMadeByOfficeRegKey | extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1) | extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey) | project-reorder Domain, Connection ```
Explanation
The query is searching for connections made by Microsoft Office from a compromised device. It looks for registry value sets in the specified registry key related to Office connections. The query filters the results based on a specific device name and a specified time window. It splits the registry key to extract the connection information and extracts the domain from the registry key. The final result is a list of domains and connections made by Office from the compromised device.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceRegistryEvents
Keywords
Connections,Office,CompromisedDevice,DefenderForEndpoint,Sentinel,DeviceRegistryEvents,Timestamp,DeviceName,ActionType,RegistryValueSet,RegistryKey,Connection,Domain,Project-reorder
Operators
wherelet@agoDeviceRegistryEvents|==containsextendsplitextractproject-reorder