Asr Executable Office Content
Query
// To prevent False Positives a FilePrevalanceThreshold is used.
let FilePrevalanceThreshold = 100;
DeviceEvents
// Filter on the specific ActionTypes
| where ActionType in~ ('AsrExecutableOfficeContentAudited', 'AsrExecutableOfficeContentBlocked')
// Enrich results with File information
| invoke FileProfile('SHA1', 10000)
| where GlobalPrevalence <= FilePrevalanceThreshold
| project Timestamp, DeviceName, DeviceId, InitiatingProcessAccountUpn, FileName, FolderPath, ActionType, Signer, GlobalFirstSeen, GlobalPrevalence, SHA1, InitiatingProcessCommandLine, InitiatingProcessFolderPathAbout this query
Explanation
This query is designed to detect potentially malicious activities related to Office applications (like Word, Excel, and PowerPoint) creating executable content, which could be used by attackers to maintain persistence on a system. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify instances where Office applications might be used to create executable files that could be harmful. This is a known technique for attackers to maintain persistence on a system by having malicious components that survive reboots.
-
MITRE ATT&CK Technique: It relates to the "Office Application Startup" technique (T1137), which involves using Office applications to execute malicious code.
-
Query Details:
- File Prevalence Threshold: The query uses a threshold to avoid false positives by considering only files that are not commonly seen (less than 100 occurrences globally).
- Action Types: It looks for specific actions where executable content creation by Office apps was either audited or blocked.
- File Information: The query enriches the results with file details, including the file's global prevalence, to help determine if the file is suspicious.
-
Risk: If a malicious Office application runs successfully, it could allow an attacker to gain persistence on the system.
-
Execution:
- Defender XDR: The query is best run in Microsoft Defender for Endpoint (MDE) because it uses the
FileProfilefunction, which isn't supported in Sentinel. - Sentinel: A similar query can be run in Sentinel, but without the file prevalence filtering.
- Defender XDR: The query is best run in Microsoft Defender for Endpoint (MDE) because it uses the
Overall, this query is part of a security measure to prevent and detect malicious activities involving Office applications creating executable content, which could be used by attackers to compromise systems.
