Navigation :

Detect Outlook Exe Writing A Zip File

Description

This search looks for execution of process outlook.exe where the process is writing a .zip file to the disk.

Help
Detect Outlook Exe Writing A Zip File Help You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

Help

Detect Outlook Exe Writing A Zip File Help

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

Search
\| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user \| `drop_dm_object_name(Processes)` \| `security_content_ctime(firstTime)` \| `security_content_ctime(lastTime)` \| rename process_id as malicious_id\| rename parent_process_id as outlook_id\| join malicious_id type=inner[\| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=zip OR Filesystem.file_name=.lnk ) AND (Filesystem.file_path=C:\\Users OR Filesystem.file_path=Local\\Temp) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest \| `drop_dm_object_name(Filesystem)` \| `security_content_ctime(firstTime)` \| `security_content_ctime(lastTime)` \| rename process_id as malicious_id\| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] \| table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path \| where file_name != "" \| `detect_outlook_exe_writing_a_zip_file_filter` Open in Search

Search

| tstats `security_content_summariesonly`  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name  FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip*   OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by  _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest  | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name  file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`

Open in Search