Hunting dashboard for Follina - CVE-2022-30190

gistfile1.txt

index=YOUR_ENDPOINT_TELEMETRY_INDEX msdt ChildPath=*msdt.exe ``` make sure you use msdt as a bloomfilter to speedup the query and filter on msdt.exe as child (primarily)```

``` Highlight interesting traces ```
| eval office_parent=if(match(ParentPath, "(?i)(winword|excel|powerpnt|outlook)\.exe"), 1, 0)
| eval cmdshell_parent=if(match(ParentPath, "(?i)\S+\\\(cmd|pwsh|sqlps|sqltoolsps|powershell|powershell_ise)\.exe"), 1, 0)
| eval uri_scheme=if(match(command, "(?i)ms-msdt:/"), 1, 0)
| eval traversal=if(match(command, "(?i)\.\.\S\.\."), 1, 0)
| eval exe_param=if(match(replace(command, "(?i)msdt\.exe", ""), "(?i)\S+\.exe"), 1, 0)

``` Normalize the parent path```
| eval ParentPath=lower(ParentPath)

| stats sparkline, count, dc(HostName) AS host_count, values(HostName) AS hosts, last(command) AS last_command by ParentPath, exe_param, office_parent, cmdshell_parent, traversal, uri_scheme

| eval hosts=if(mvcount(hosts)>5, "More than 5", hosts) ``` Only lists hosts when prevalence is low ```

| sort 0 +num(host_count)

Sysmon version:

`sysmon` msdt.exe

| eval office_parent=if(match(parent_process_path, "(?i)(winword|excel|powerpnt|outlook)\.exe"), 1, 0)
| eval cmdshell_parent=if(match(parent_process_path, "(?i)\S+\\\(cmd|pwsh|sqlps|sqltoolsps|powershell|powershell_ise)\.exe"), 1, 0)
| eval uri_scheme=if(match(CommandLine, "(?i)ms-msdt:/"), 1, 0)
| eval traversal=if(match(CommandLine, "(?i)\.\.\S\.\."), 1, 0)
| eval exe_param=if(match(replace(CommandLine, "(?i)msdt\.exe", ""), "(?i)\S+\.exe"), 1, 0)


| eval parent_process_path=lower(parent_process_path)

| stats sparkline, count, dc(dest) AS host_count, values(dest) AS hosts, last(CommandLine) AS last_command by parent_process_path, exe_param, office_parent, cmdshell_parent, traversal, uri_scheme

| eval hosts=if(mvcount(hosts)>5, "More than 5", hosts) 

| sort 0 +num(host_count)