Techniques
Sample rules
Detect Outlook exe writing a zip file
- source: splunk
- technicques:
- T1566
- T1566.001
Description
This search looks for execution of process outlook.exe where the process is writing a .zip file to the disk.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename process_id as malicious_id
| rename parent_process_id as outlook_id
| join malicious_id type=inner[
| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename process_id as malicious_id
| fields malicious_id outlook_id dest file_path file_name file_hash count file_id]
| table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path
| where file_name != ""
| `detect_outlook_exe_writing_a_zip_file_filter`