LoFP / false positives should be limited, but if any are present, filter as needed.

Techniques

• T1003
• T1003.002
• T1566
• T1566.001

Sample rules

Winword Spawning Cmd

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

The following detection identifies Microsoft Word spawning cmd.exe. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path C:\Program Files\Microsoft Office\root\Office16 (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to explorer.exe or wmiprvse.exe.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `winword_spawning_cmd_filter`

Excel Spawning PowerShell

• source: splunk
• technicques:
  • T1003.002
  • T1003

Description

The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path C:\Program Files\Microsoft Office\root\Office16 (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.

Detection logic

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| `excel_spawning_powershell_filter`

Winword Spawning PowerShell

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path C:\Program Files\Microsoft Office\root\Office16 (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `winword_spawning_powershell_filter`

Office Product Spawning Rundll32 with no DLL

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning rundll32.exe without a .dll file extension. In malicious instances, the command-line of rundll32.exe will look like rundll32 ..\oepddl.igk2,DllRegisterServer. In addition, Threat Research has released a detection identifying the use of DllRegisterServer on the command-line of rundll32.exe. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the DLL that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `office_product_spawning_rundll32_with_no_dll_filter`