Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Microsoft Defender XDR |
| ID | 4d11f63f-5b64-416e-8d77-266e4c6d382e |
| Tactics | InitialAccess, DefenseEvasion |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceFileEvents |
InitiatingProcessFileName != "certutil.exe"InitiatingProcessFileName != "cmd.exe" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊