44 строки
2.5 KiB
YAML
44 строки
2.5 KiB
YAML
id: 61c28cd7-3139-4731-8ea7-2cbbeabb4684
|
|
name: Windows Reserved Filenames staged on Office file services
|
|
description: |
|
|
'Identifies when Windows Reserved Filenames show up on Office services such as SharePoint and OneDrive.
|
|
List currently includes 'CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6',
|
|
'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions.
|
|
Additionally, identifies when a given user is uploading these files to another users workspace.
|
|
This may be indication of a staging location for malware or other malicious activity.
|
|
References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file'
|
|
requiredDataConnectors:
|
|
- connectorId: Office365
|
|
dataTypes:
|
|
- OfficeActivity
|
|
tactics:
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1105
|
|
query: |
|
|
|
|
// Reserved FileNames/Extension for Windows
|
|
let Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);
|
|
OfficeActivity
|
|
| where isnotempty(SourceFileExtension)
|
|
| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)
|
|
| where UserAgent !has "Mac OS"
|
|
| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])
|
|
| extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId))
|
|
// identify when UserId is not a match to the specific site url personal folder reference
|
|
| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )
|
|
| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent),
|
|
OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)
|
|
by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension,SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
|
|
// Use mvexpand on any list items and you can expand out the exact time and other metadata about the hit
|
|
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|