Techniques
Sample rules
Office Document Spawned Child Process To Download
- source: splunk
- technicques:
- T1566
- T1566.001
Description
This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_document_spawned_child_process_to_download_filter`