forked from wortell/KQL
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathKQL_win_office_shell.txt
More file actions
1 lines (1 loc) · 1.73 KB
/
KQL_win_office_shell.txt
File metadata and controls
1 lines (1 loc) · 1.73 KB
1
SecurityEvent | where EventID == "4688" | where (ParentImage endswith "\\WINWORD.EXE" or ParentImage endswith "\\EXCEL.EXE" or ParentImage endswith "\\POWERPNT.exe" or ParentImage endswith "\\MSPUB.exe" or ParentImage endswith "\\VISIO.exe" or ParentImage endswith "\\OUTLOOK.EXE" and Image endswith "\\cmd.exe" or Image endswith "\\powershell.exe" or Image endswith "\\wscript.exe" or Image endswith "\\cscript.exe" or Image endswith "\\sh.exe" or Image endswith "\\bash.exe" or Image endswith "\\scrcons.exe" or Image endswith "\\schtasks.exe" or Image endswith "\\regsvr32.exe" or Image endswith "\\hh.exe" or Image endswith "\\wmic.exe" or Image endswith "\\mshta.exe" or Image endswith "\\rundll32.exe" or Image endswith "\\msiexec.exe" or Image endswith "\\forfiles.exe" or Image endswith "\\scriptrunner.exe" or Image endswith "\\mftrace.exe" or Image endswith "\\AppVLP.exe")