Created
December 8, 2020 16:18
-
-
Save 0xffhh/c805bf2c50ff233d211a1320058b6e29 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let allowedProcs = dynamic(["teams.exe", "msedge.exe", "onenote.exe", "firefox.exe", "protocolhandler.exe", "werfault.exe", | |
| "OneDrive.exe", "winproj.exe", "chrome.exe", "mspub.exe", "outlook.exe", "iexplore.exe", "winword.exe", "excel.exe", "7zG.exe", | |
| "7zFM.exe", "AcroRd32.exe", "crashpad_handler.exe", "mspaint.exe", "notepad.exe", "PBIDesktop.exe", "Powerpnt.exe", "wermgr.exe", "visio.exe"]); | |
| DeviceProcessEvents | |
| | where InitiatingProcessFileName =~ "teams.exe" | |
| | where not(FileName in~ (allowedProcs)) | |
| | where not(FolderPath matches regex @"[C-Z]:\\Users\\(\w|[\.\-\s])+\\AppData\\Local\\Microsoft\\Teams\\Update.exe") and | |
| not(FolderPath matches regex @"[C-Z]:\\Users\\(\w|[\.\-\s])+\\AppData\\Local\\SquirrelTemp\\Update.exe") and | |
| not(FolderPath matches regex @"[C-E]:\\ProgramData\\(\w+|[\.\-\s])\\SquirrelTemp\\Update\.exe") and //assuming ProgramData is on C, D or E | |
| not(FolderPath matches regex @"[C-E]:\\ProgramData\\(\w+|[\.\-\s])\\Microsoft\\Teams\\Update\.exe")//assuming ProgramData is on C, D or E | |
| | union | |
| (DeviceProcessEvents | |
| | where InitiatingProcessFileName == "protocolhandler.exe" and InitiatingProcessParentFileName =~ "teams.exe" | |
| | where FileName !in~ (allowedProcs) | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment