Justaq
@nathanmcnulty Is there a way in KQL to find macro enabled documents that have the MOTW flag set?
Nov 19, 2022 at 10:55pmWeb
Show threadNathan McNultyNov 19, 2022

@justaq I'll have to write it later when I'm at a computer, but yes we can. It'll be using file extension (docm, xlsm, etc.) with, I think, RemoteUrl.

If you can, check the schema on DeviceFileEvents. Again, all from memory here, so I can check later when at a computer ;)

Show threadNathan McNultyNov 20, 2022

@justaq This is what I came up with, figured I'd ask a broader audience and see what improvements others have :)

https://infosec.exchange/@nathanmcnulty/109373904833567292

Nathan McNulty (@[email protected])

Someone asked about a #KQL query to find macro enabled docs with MOTW Here's my initial query off the top of my head, anyone got improvements? DeviceFileEvents | where FileName endswith ".docm" or FileName endswith ".xlsm" or FileName endswith ".pptm" | where FileOriginUrl has "://"

Infosec Exchange