windows_spearphishing_attachment_onenote_spawn_mshta.yml

name: Windows Spearphishing Attachment Onenote Spawn Mshta
id: 35aeb0e7-7de5-444a-ac45-24d6788796ec
version: 1
date: '2023-01-24'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following detection identifies the latest behavior utilized by different
  malware families (including TA551, AsyncRat, Redline and DCRAT). This detection
  identifies onenote Office Product spawning `mshta.exe`. In malicious instances,
  the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to
  the remote destination. In addition, Threat Research has released a detections identifying
  suspicious use of `mshta.exe`. In this instance, we narrow our detection down to
  the Office suite as a parent process. During triage, review all file modifications.
  Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will
  have reached out to a remote destination, capture and block the IPs or domain. Review
  additional parallel processes for further activity.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
  as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
  IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name
  Processes.parent_process Processes.process_name Processes.original_file_name Processes.process
  Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
  and Response (EDR) agents. These agents are designed to provide security-related
  telemetry from the endpoints where the agent is installed. To implement this search,
  you must ingest logs that contain the process GUID, process name, and parent process.
  Additionally, you must ingest complete command-line executions. These logs must
  be processed using the appropriate Splunk Technology Add-ons that are specific to
  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
  data model. Use the Splunk Common Information Model (CIM) to normalize the field
  names and speed up the data modeling process.
known_false_positives: No false positives known. Filter as needed.
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
tags:
  analytic_story:
  - Spearphishing Attachments
  - AsyncRAT
  asset_type: Endpoint
  confidence: 90
  impact: 90
  message: office parent process $parent_process_name$ will execute a suspicious child
    process $process_name$ with process id $process_id$ in host $dest$
  mitre_attack_id:
  - T1566.001
  - T1566
  observable:
  - name: dest
    type: Hostname
    role:
    - Victim
  - name: process_name
    type: Process
    role:
    - Attacker
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - Processes.dest
  - Processes.user
  - Processes.parent_process_name
  - Processes.parent_process
  - Processes.original_file_name
  - Processes.process_name
  - Processes.process
  - Processes.process_id
  - Processes.parent_process_path
  - Processes.process_path
  - Processes.parent_process_id
  risk_score: 81
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    sourcetype: xmlwineventlog
    update_timestamp: true