5 Steps to Create Conditional Formatting Rules in Excel for Threat Hunters

Microsoft Excel a powerful spreadsheet tool you are not using to it's full potential to find attackers in your data

Excel can be a powerful tool to conduct analysis of data for threat hunters.

In this weeks newsletter I want to show you how you can use Excel to create powerful conditional formatting rules to filter and reduce your data when looking for threats.

Here's how to do it:

1. Select the range of cells you want to apply the conditional formatting to.

• Click the top of the column you want to create the rule for

2. Go to the 'Home' tab, click on 'Conditional Formatting' in the 'Styles' group, and choose the desired formatting rule.

• Choose Highlight Cell Rules

• Text that Contains

• Inside box type User

  • This will look for executables being launched from user folders and color them red. Depending on your environment this could be abnormal

• Click OK

3. Customize the rule by specifying the conditions and formatting options.

• You can color your cells any color, I chose red because it stands out more.

4. Now you can format the Excel sheet as a table

• Click OK

5. Click dropdown on Image column and sort by color

Now for my environment I know OneDrive executables running from User locations are normal. I notice a weird executable named p.exe I need to look into that is running from the ljessica home folder. I am now pretty sure I found a suspicious process that warrants further investigation!

After initial triage of the executable I found that this is Meterpreter and would immediately roll into my response functions.

So I hope everyone found this post useful and until next week…

Happy hunting!