-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathXDR-downloads-2
30 lines (29 loc) · 2.07 KB
/
XDR-downloads-2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// Query taken from: https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Delivery/Email%20link%20%2B%20download%20%2B%20SmartScreen%20warning.txt
// Query for SmartScreen warnings of unknown executed applications
let smartscreenAppWarnings =
MiscEvents
| where ActionType == "SmartScreenAppWarning"
| project WarnTime=EventTime, ComputerName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
// Select only warnings that the user has decided to ignore and has executed the app.
| join kind=leftsemi (
MiscEvents
| where ActionType == "SmartScreenUserOverride"
| project ComputerName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
on ComputerName, ActivityId
| project-away ActivityId;
// Query for links opened from outlook, that are close in time to a SmartScreen warning
let emailLinksNearSmartScreenWarnings =
MiscEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe"
| extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com")
| project ComputerName, MailLinkTime=EventTime,
MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl)
| join kind=inner smartscreenAppWarnings on ComputerName | where (WarnTime-MailLinkTime) between (0min..4min);
// Add the browser download event to tie in all the dots
FileCreationEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe")
| project FileName, FileOriginUrl, FileOriginReferrerUrl, ComputerName, EventTime, SHA1
| join kind=inner emailLinksNearSmartScreenWarnings on ComputerName
| where (EventTime-MailLinkTime) between (0min..3min) and (WarnTime-EventTime) between (0min..1min)
| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, ComputerName, SHA1, WarnedSHA1, EventTime
| distinct *