/
windows_phishing_pdf_file_executes_url_link.yml
79 lines (79 loc) · 3.5 KB
/
windows_phishing_pdf_file_executes_url_link.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: Windows Phishing PDF File Executes URL Link
id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1
version: 1
date: '2023-01-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is developed to detect suspicious pdf viewer processes
that have a browser application child processes. This event was seen in a pdf spear
phishing attachment containing a malicious URL link to download the actual payload.
When a user clicks the malicious link the pdf viewer application will execute a
process of the host default browser to connect to the malicious site. This anomaly
detection can be a good indicator that a possible pdf file has a link executed by
a user. The pdf viewer and browser list in this detection is still in progress,
add the common browser and pdf viewer you use in opening pdf in your network.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN
("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe",
"chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process
Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: False positives in PDF file opened PDF Viewer having legitimate
URL link, however filter as needed.
references:
- https://twitter.com/pr0xylife/status/1615382907446767616?s=20
tags:
analytic_story:
- Spearphishing Attachments
- Snake Keylogger
asset_type: Endpoint
confidence: 80
impact: 80
message: a pdf file opened in pdf viewer process $parent_process_name$ has a child
process of a browser $process_name$ in $dest$
mitre_attack_id:
- T1566.001
- T1566
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true