Endpoints accessing .zip or .mov websites
Network Zipandmov Access
Query
DeviceNetworkEvents
// Define the time you are interested to look into
| where TimeGenerated > ago(1d)
// Remove the line below in case you want to look into both successful and unsuccessful events
| where ActionType == "ConnectionSuccess"
// The line below refers to connections made when requesting a .zip through file explorer
// | where InitiatingProcessFileName == @"svchost.exe"
// Define RemoteURL
| where RemoteUrl startswith "https://" or RemoteUrl startswith "http://"
// Define domain as a string that includes a domain exclusively leaving outside .zip or .mov accessed files for download
| extend domain = tostring(extract("https?://([^:/]*)(:?)(/|$)", 1, RemoteUrl))
// String should exclusively look for .zip or .mov TLDs
| where domain endswith ".zip" or domain endswith ".mov"
| project Timestamp, DeviceName, ActionType, RemoteUrl
// Sort by newsest events first
| sort by Timestamp descAbout this query
Explanation
This query is designed to identify endpoints that are accessing websites with .zip or .mov domains. It focuses on requests for .zip and .mov files made through file explorer and filters out successful connection events. The query retrieves information such as the timestamp, device name, action type, and remote URL for these events. It can be used in Microsoft 365 Defender or Microsoft Sentinel. The query is mapped to MITRE ATT&CK technique T1204.001 (User Execution: Malicious Link).
