Find all the connections that have been made by Office from a compromised device.
MDE Connections Made By Office Compromised Device
Query
let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache';
let CompromisedDevice = "laptop1";
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "RegistryValueSet"
| where RegistryKey contains ConnectionsMadeByOfficeRegKey
| extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1)
| extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey)
| project-reorder Domain, ConnectionAbout this query
Find all the connections that have been made by Office from a compromised device.
Defender XDR
let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache';
let CompromisedDevice = "laptop1";
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "RegistryValueSet"
| where RegistryKey contains ConnectionsMadeByOfficeRegKey
| extend Connection = split(RegistryKey, @"SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache", 1)
| extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey)
| project-reorder Domain, Connection
Sentinel
Explanation
This query is designed to identify network connections made by Microsoft Office applications from a specific compromised device, named "laptop1," within the last 7 days. It does this by examining registry events that indicate when Office applications have stored information about servers they have connected to. Here's a breakdown of what the query does:
-
Define Variables:
ConnectionsMadeByOfficeRegKey: This is the registry path where Office stores information about servers it has connected to.CompromisedDevice: The name of the device that is suspected to be compromised, in this case, "laptop1."SearchWindow: The time frame for the search, set to the last 7 days.
-
Filter Events:
- The query looks at
DeviceRegistryEvents, which logs changes to the registry. - It filters these events to only include those that occurred within the last 7 days (
SearchWindow). - It further narrows down to events from the specific compromised device (
DeviceName == CompromisedDevice). - It only considers events where a registry value was set (
ActionType == "RegistryValueSet"). - It specifically looks for registry keys that contain the path defined in
ConnectionsMadeByOfficeRegKey.
- The query looks at
-
Extract Information:
- The query extracts the connection details from the registry key by splitting the key at the specified path.
- It also extracts the domain name from the registry key using a regular expression.
-
Output:
- The results are reordered to show the domain and connection details.
This query helps in identifying potentially malicious or unauthorized connections made by Office applications from a compromised device, which can be crucial for security investigations.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceRegistryEvents
Keywords
ConnectionsDeviceOfficeDomainRegistry
Operators
letagowherecontainsextendsplitextractproject-reorder