This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability.
This does NOT guarantee you've been breached but rather giving you a focused area of event logs to start your hunt on. Keep in mind you will need to be logging your audit events to see the process creation.
SELECT datetime(time, 'unixepoch','localtime') AS WinEventTimeStamp, datetime AS SystemTimeStamp, Source, eventID, task_message, executing_pid, executing_tid, data FROM sophos_windows_events WHERE eventID IS '4688' AND data LIKE '%control.exe%'
