Techniques
Sample rules
Windows Spearphishing Attachment Onenote Spawn Mshta
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning mshta.exe
. In malicious instances, the command-line of mshta.exe
will contain the hta
file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of mshta.exe
. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or mshta.exe
will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_spearphishing_attachment_onenote_spawn_mshta_filter`
Office Product Spawning BITSAdmin
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning bitsadmin.exe
. In malicious instances, the command-line of bitsadmin.exe
will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of bitsadmin.exe
. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or bitsadmin.exe
will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_product_spawning_bitsadmin_filter`
Office Product Spawning MSHTA
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning mshta.exe
. In malicious instances, the command-line of mshta.exe
will contain the hta
file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of mshta.exe
. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or mshta.exe
will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe", "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_product_spawning_mshta_filter`
Office Product Spawning CertUtil
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning certutil.exe
. In malicious instances, the command-line of certutil.exe
will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of certutil.exe
. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or certutil.exe
will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_product_spawning_certutil_filter`
Office Product Spawning Wmic
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning wmic.exe
. In malicious instances, the command-line of wmic.exe
will contain wmic process call create
. In addition, Threat Research has released a detection identifying the use of wmic process call create
on the command-line of wmic.exe
. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or wmic.exe
will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_product_spawning_wmic_filter`