Is it possible to search for Macros in Cortex?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is it possible to search for Macros in Cortex?

L1 Bithead

Can Cortex see if macros have been launched on an endpoint, specifically Office Macros? 

I tried the "All Actions" query and searched for .doc and .xls files but no luck. 

 

Has anyone tried to search for macros using Cortex query or xql? 

 

Just to clarify, I was trying to hunt for any macro executions seen on our endpoints whether they are malicious or not. 

1 accepted solution

Accepted Solutions

The query I shared also gives all the files that Excel has opened. The query is just a basic query that you could use and modify as you like. 

 

For instance,

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_command_line contains "xlsm"

 

I would suggest you check our XQL documentation here and here.

 

I would also recommend you check our Cortex XDR Walkthrough videos. We have many videos showcasing every part of the Cortex XDR product.

View solution in original post

7 REPLIES 7

L3 Networker

Hi @Kamal.Kishore 

 

If you know the hash value of macro part of the Excel file, yes. You can use Hash View to search for it, or Query Builder, or XQL queries.

Ya I wouldn't know the hash value, it would be a general search or audit looking for any Office Macros by their file properties. 

Hi @Kamal.Kishore,

 

The XDR agent office protection ignores Excel files with no macros and will only report on those with a seemingly malicious macro. What you can do is look in XQL for all executed Excel files.

 

You could try something like this
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_image_name = "EXCEL.EXE"

Hi Fmoixsante,

 

Thank you for your response. 

That's a great query to identify where Excel.exe is running but I don't see any data pertaining to macro events. 

L3 Networker
Hi Kamal,

Try .xlsm instead.

L2 Linker

Hi Kamal,

 

Try .xlsm instead.

 

Thanks

The query I shared also gives all the files that Excel has opened. The query is just a basic query that you could use and modify as you like. 

 

For instance,

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_command_line contains "xlsm"

 

I would suggest you check our XQL documentation here and here.

 

I would also recommend you check our Cortex XDR Walkthrough videos. We have many videos showcasing every part of the Cortex XDR product.

  • 1 accepted solution
  • 5128 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!