User Disabled Python Excel Warning For Executing Untrusted Code
Query
// https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
// https://github.com/tsale/Sigma_rules/blob/main/MISC/pythonfunctionwarnings_disabled.yml
imProcess
| where TimeGenerated > ago(1h)
| where TargetProcessName endswith "reg.exe" or TargetProcessName endswith "powershell.exe"
| where CommandLine has_all("software\\policies\\microsoft\\office\\", "\\excel\\security", "pythonfunctionwarnings*0")
| where CommandLine has_all ("reg", "add") or CommandLine contains 'Set-ItemProperty'
| project-reorder TargetProcessName, CommandLine, ActingProcessNameExplanation
This query filters the "imProcess" table to only include events that occurred within the last hour. It further filters the events to only include processes with names ending in "reg.exe" or "powershell.exe". It then checks if the command line used in these processes contains specific strings related to Excel security and Python function warnings. Additionally, it checks if the command line contains either "reg add" or "Set-ItemProperty". Finally, it reorders the columns to display TargetProcessName, CommandLine, and ActingProcessName.
Details

Regan Carey @rcegann (User Submission)
Released: October 25, 2023
Tables
imProcess
Keywords
DevicesIntuneUser
Operators
whereendswithorhas_allcontainsproject-reorder