Techniques
Sample rules
Windows Spearphishing Attachment Connect To None MS Office Domain
- source: splunk
- technicques:
- T1566.001
- T1566
Description
this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens.
Detection logic
`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`