← @kwm Twitter archive

Keith

@kwm

When opening a Microsoft Office doc on Windows, the filename is passed via CLI. Not the case on macOS.

To find Office doc access in macOS telemetry, look for file modifications beginning with "ActiveDocs".

Document: Yer_Document.docx
File Mod: ActiveDocs_Yer_Document.docx

4/23/2018, 11:20:36 PM

Favs: 13

Retweets: 1

Keith

@kwm

Hunting for Microsoft Office activity across your macOS fleet? Similar file modification events appear every time an Office application opens an Office document. The process CLI will include the process name + ProcessSerialNumber:

PowerPoint -psn_0_13155467

4/24/2018, 11:20:53 AM

Favs: 3

Retweets: 0

Keith

@kwm

Using @CarbonBlack_Inc Response, you can locate Microsoft Word, PowerPoint file open events using:

os_type:"osx" AND filemod:ActiveDocs*

4/24/2018, 11:38:36 AM

Favs: 1

Retweets: 1

Keith

@kwm

Using @CarbonBlack_Inc Response, you can use this less precise method to locate all Office document open events:

(process_name:"Microsoft Word" OR process_name:"Microsoft Excel" OR process_name:"Microsoft PowerPoint") AND filemod:~*

Excel doesn't use the ActiveDocs convention.

4/24/2018, 11:40:44 AM

Favs: 3

Retweets: 0