EXPLORE
Sign In
← Back to Explore
kqlHunting

Follina Detection

Follina Detection

Detection Query

// Sources: https://www.reddit.com/r/blueteamsec/comments/v0wgqh/sentinel_kql_detections_for_microsoft_word_zero/ & https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql
    (union isfuzzy=true
    (DeviceProcessEvents
    | where ProcessCommandLine contains "msdt.exe"
    | where InitiatingProcessFileName has_any (@"outlook.exe", @"winword.exe", @"excel.exe")),
    (DeviceProcessEvents
    | where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"),
    (DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
    | where RemoteIPType == "Public"
    | where ActionType == "ConnectionSuccess"
    and RemoteUrl !endswith ".visualstudio.com"
    and RemoteUrl !endswith ".microsoft.com")
    )

Data Sources

DeviceProcessEventsDeviceNetworkEvents

Platforms

windowsazure-sentinelmicrosoft-defender

References

Tags

vulnerability-exploitationdetection
Raw Content
# Follina Detection

## Query Information

#### Description
Follina Detection

#### References
- https://www.reddit.com/r/blueteamsec/comments/v0wgqh sentinel_kql_detections_for_microsoft_word_zero/
- https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql

## Defender XDR
```KQL
    // Sources: https://www.reddit.com/r/blueteamsec/comments/v0wgqh/sentinel_kql_detections_for_microsoft_word_zero/ & https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql
    (union isfuzzy=true
    (DeviceProcessEvents
    | where ProcessCommandLine contains "msdt.exe"
    | where InitiatingProcessFileName has_any (@"outlook.exe", @"winword.exe", @"excel.exe")),
    (DeviceProcessEvents
    | where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"),
    (DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
    | where RemoteIPType == "Public"
    | where ActionType == "ConnectionSuccess"
    and RemoteUrl !endswith ".visualstudio.com"
    and RemoteUrl !endswith ".microsoft.com")
    )
```

## Sentinel
```KQL
    // Sources: https://www.reddit.com/r/blueteamsec/comments/v0wgqh/sentinel_kql_detections_for_microsoft_word_zero/ & https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-msdtPotentialExploit.kql
    (union isfuzzy=true
    (DeviceProcessEvents
    | where ProcessCommandLine contains "msdt.exe"
    | where InitiatingProcessFileName has_any (@"outlook.exe", @"winword.exe", @"excel.exe")),
    (DeviceProcessEvents
    | where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"),
    (DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
    | where RemoteIPType == "Public"
    | where ActionType == "ConnectionSuccess"
    and RemoteUrl !endswith ".visualstudio.com"
    and RemoteUrl !endswith ".microsoft.com")
    )
```