Skip to content

Latest commit

 

History

History
32 lines (22 loc) · 594 Bytes

mde_darkgate_sharepoint_ceo_link.md

File metadata and controls

32 lines (22 loc) · 594 Bytes

Title

Darkgate

Source

Intrusion Anlysis

Description

UrlClickEvents
| where Workload =~ "Teams"
| where Url matches regex @"https:\/\/[a-zA-Z0-9-_]+\.sharepoint\.com\/:[a-zA-Z]:\/g\/personal\/[a-zA-Z0-9_]+_onmicrosoft_com"


DeviceNetworkEvents
| where RemoteUrl has_all ("ceo",".sharepoint.com","_onmicrosoft_com")


UrlClickEvents
| where Url has_all ("ceo",".sharepoint.com","_onmicrosoft_com")

DeviceNetworkEvents
| where RemoteUrl matches regex @"https:\/\/[a-zA-Z0-9-_]+\.sharepoint\.com\/:[a-zA-Z]:\/g\/personal\/[a-zA-Z0-9_]+_onmicrosoft_com"