/
office_application_drop_executable.yml
79 lines (79 loc) · 3.46 KB
/
office_application_drop_executable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: Office Application Drop Executable
id: 73ce70c4-146d-11ec-9184-acde48001122
version: 4
date: '2023-02-15'
author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github
status: production
type: TTP
description: This search is to detect a suspicious MS office application that drops
or creates executables or scripts in a Windows Operating System. This behavior is
commonly seen in spear phishing office attachment where it drop malicious files
or script to compromised the host. It might be some normal macro may drop script
or tools as part of automation but still this behavior is reallly suspicious and
not commonly seen in normal office application
data_source:
- Sysmon EventID 1
- Sysmon EventID 11
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe")
by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time
[| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe","*.dll","*.pif","*.scr","*.js","*.vbs","*.vbe","*.ps1")
by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)`
| fields _time dest file_create_time file_name file_path process_name process_path
process process_guid] | dedup file_create_time | table dest, process_name, process,
file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.
known_false_positives: office macro for automation may do this behavior
references:
- https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation
- https://attack.mitre.org/groups/G0046/
- https://www.joesandbox.com/analysis/702680/0/html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
tags:
analytic_story:
- FIN7
- AgentTesla
- CVE-2023-21716 Word RTF Heap Corruption
- Warzone RAT
- PlugX
asset_type: Endpoint
confidence: 80
impact: 80
message: process $process_name$ drops a file $file_name$ in host $dest$
mitre_attack_id:
- T1566
- T1566.001
observable:
- name: dest
type: Hostname
role:
- Victim
- name: process_name
type: Process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- process_name
- file_name
- process_guid
- dest
- user_id
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog