Detect-Follina-Exploitation.kql

//Detects the exploitation of Follina Microsoft Code Execution vulnerability
SecurityEvent 
| where EventID==4688 
| where ParentProcessName has_any ('winword.exe','excel.exe','outlook.exe') 
| where NewProcessName contains "msdt.exe" or CommandLine contains "msdt.exe"
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer


//The below query could return false-positives please verify the output and modify the query according to your environment.
SecurityEvent 
| where EventID==4688 
| where ParentProcessName has_any ('sdiagnhost.exe', 'msdt.exe')
//| where NewProcessName contains "powershell" or NewProcessname contains "cmd.exe"  //optional: you can include this line for directly finding powershell or cmd process spawns
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer