1
0
Форкнуть 0
Microsoft-365-Defender-Hunt.../Initial access/WhenZAPed.md

53 строки
1.6 KiB
Markdown
Исходник Обычный вид История

2020-09-29 11:05:11 +03:00
# When email was ZAPed.
This query allows to verify when email matching your search condition (by default based on presence of the URL) were ZAPed and compare it with original delivery time.
## Query
```
let URL=""; // Put your URL here
EmailUrlInfo
| where Url matches regex URL
| join EmailEvents on NetworkMessageId
| where DeliveryAction == "Delivered" and EmailDirection == "Inbound"
| project Timestamp, NetworkMessageId, Url, SenderFromAddress, SenderIPv4, RecipientEmailAddress, Subject,DeliveryAction, DeliveryLocation
| join kind=inner EmailPostDeliveryEvents on NetworkMessageId
| extend DeliveryTime=(Timestamp)
| extend ZAPTime=(Timestamp1)
| project DeliveryTime, ZAPTime, NetworkMessageId, SenderFromAddress, SenderIPv4,RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation
| sort by DeliveryTime asc
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | x | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## Contributor info
**Contributor:** Pawel Partyka
**GitHub alias:** pawp81
**Organization:** Microsoft
**Contact info:** @pawp81