Query Details

Endpoints accessing .zip or .mov websites

Network Zipandmov Access

Query

DeviceNetworkEvents
// Define the time you are interested to look into
| where TimeGenerated > ago(1d)
// Remove the line below in case you want to look into both successful and unsuccessful events
| where ActionType == "ConnectionSuccess"
// The line below refers to connections made when requesting a .zip through file explorer
// | where InitiatingProcessFileName == @"svchost.exe"
// Define RemoteURL
| where RemoteUrl startswith "https://" or RemoteUrl startswith "http://"
// Define domain as a string that includes a domain exclusively leaving outside .zip or .mov accessed files for download
| extend domain = tostring(extract("https?://([^:/]*)(:?)(/|$)", 1, RemoteUrl)) 
// String should exclusively look for .zip or .mov TLDs
| where domain endswith ".zip" or domain endswith ".mov"
| project Timestamp, DeviceName, ActionType, RemoteUrl
// Sort by newsest events first
| sort by Timestamp desc

About this query

Explanation

This query is designed to identify endpoints that are accessing websites with .zip or .mov domains. It focuses on requests for .zip and .mov files made through file explorer and filters out successful connection events. The query retrieves information such as the timestamp, device name, action type, and remote URL for these events. It can be used in Microsoft 365 Defender or Microsoft Sentinel. The query is mapped to MITRE ATT&CK technique T1204.001 (User Execution: Malicious Link).

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceNetworkEvents

Keywords

DevicesIntuneUser

Operators

|//where>ago()==startswithextendtostringextract()endswithprojectsort by

MITRE Techniques

Actions

GitHub