This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 546
/
Copy pathEmail link + download + SmartScreen warning.txt
32 lines (32 loc) · 2.33 KB
/
Email link + download + SmartScreen warning.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user.
// Read more about these events and this hunting approach in this post: https://techcommunity.microsoft.com/t5/forums/editpage/board-id/WDATPActor/message-id/34
// Data availability: SmartScreen events are available only on Windows 10 version 1703 and onwards.
// Tags: #EmailLink, #BrowserDownload, #SmartScreen
let smartscreenAppWarnings =
// Query for SmartScreen warnings of unknown executed applications
DeviceEvents
| where ActionType == "SmartScreenAppWarning"
| project WarnTime=Timestamp, DeviceName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
// Select only warnings that the user has decided to ignore and has executed the app.
| join kind=leftsemi (
DeviceEvents
| where ActionType == "SmartScreenUserOverride"
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
on DeviceName, ActivityId
| project-away ActivityId;
// Query for links opened from outlook, that are close in time to a SmartScreen warning
let emailLinksNearSmartScreenWarnings =
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe"
| extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com")
| project DeviceName, MailLinkTime=Timestamp,
MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl)
| join kind=inner smartscreenAppWarnings on DeviceName | where (WarnTime-MailLinkTime) between (0min..4min);
// Add the browser download event to tie in all the dots
DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe")
| project FileName, FileOriginUrl, FileOriginReferrerUrl, DeviceName, Timestamp, SHA1
| join kind=inner emailLinksNearSmartScreenWarnings on DeviceName
| where (Timestamp-MailLinkTime) between (0min..3min) and (WarnTime-Timestamp) between (0min..1min)
| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, DeviceName, SHA1, WarnedSHA1, Timestamp
| distinct *