SELECT
ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list,
COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count,
windows_processes.name AS process_name,
windows_processes.path AS path,
windows_processes.cmdline AS cmd_line,
DATE_FORMAT(FROM_UNIXTIME(MIN(windows_processes.time)), '%Y-%m-%dT%H:%i:%SZ') AS first_seen,
DATE_FORMAT(FROM_UNIXTIME(MAX(windows_processes.time)), '%Y-%m-%dT%H:%i:%SZ') AS last_seen,
windows_processes.parent_name AS parent_process_name,
windows_processes.parent_path AS parent_path,
windows_processes.username AS user_name,
ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.sophos_pid), CHR(10)) AS sophos_pid_list,
ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.parent_sophos_pid), CHR(10)) AS parent_sophos_pid_list,
windows_processes.sha256 AS sha256,
windows_processes.ml_score AS ml_score,
windows_processes.pua_score AS pua_score,
windows_processes.global_rep AS global_rep,
windows_processes.local_rep AS local_rep
FROM
xdr_data AS windows_processes
WHERE
windows_processes.query_name = 'running_processes_windows_sophos'
AND
(
LOWER(windows_processes.name) = 'msdt.exe'
AND (
LOWER(windows_processes.parent_name) IN ('winword.exe', 'excel.exe', 'outlook.exe')
)
)
GROUP BY
windows_processes.username,
windows_processes.parent_name,
windows_processes.name,
windows_processes.cmdline,
windows_processes.sha256,
windows_processes.path,
windows_processes.ml_score,
windows_processes.pua_score,
windows_processes.global_rep,
windows_processes.local_rep,
windows_processes.parent_path
ORDER BY last_seen DESC
We've been using this query for detecting the Follina RCE in our lab. Open for suggestions :-)
BR, reg1nleifr
Top Comments