12-15-2021 09:20 AM - edited 12-15-2021 11:04 AM
Can Cortex see if macros have been launched on an endpoint, specifically Office Macros?
I tried the "All Actions" query and searched for .doc and .xls files but no luck.
Has anyone tried to search for macros using Cortex query or xql?
Just to clarify, I was trying to hunt for any macro executions seen on our endpoints whether they are malicious or not.
12-16-2021 01:43 AM
The query I shared also gives all the files that Excel has opened. The query is just a basic query that you could use and modify as you like.
For instance,
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_command_line contains "xlsm"
I would suggest you check our XQL documentation here and here.
I would also recommend you check our Cortex XDR Walkthrough videos. We have many videos showcasing every part of the Cortex XDR product.
12-15-2021 09:49 AM
If you know the hash value of macro part of the Excel file, yes. You can use Hash View to search for it, or Query Builder, or XQL queries.
12-15-2021 10:04 AM
Ya I wouldn't know the hash value, it would be a general search or audit looking for any Office Macros by their file properties.
12-15-2021 10:31 AM
Hi @Kamal.Kishore,
The XDR agent office protection ignores Excel files with no macros and will only report on those with a seemingly malicious macro. What you can do is look in XQL for all executed Excel files.
You could try something like this
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_image_name = "EXCEL.EXE"
12-15-2021 11:00 AM
Hi Fmoixsante,
Thank you for your response.
That's a great query to identify where Excel.exe is running but I don't see any data pertaining to macro events.
12-15-2021 10:56 PM
12-15-2021 10:57 PM
Hi Kamal,
Try .xlsm instead.
Thanks
12-16-2021 01:43 AM
The query I shared also gives all the files that Excel has opened. The query is just a basic query that you could use and modify as you like.
For instance,
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_command_line contains "xlsm"
I would suggest you check our XQL documentation here and here.
I would also recommend you check our Cortex XDR Walkthrough videos. We have many videos showcasing every part of the Cortex XDR product.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
