Potential Foxmail Exploitation

calendar Nov 4, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Execution Data Source: Elastic Defend Data Source: Sysmon Data Source: System Data Source: Elastic Endgame Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/29"
 3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. 
13This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via 
14a malicious email.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-windows.*",
20    "endgame-*",
21    "logs-system.security*",
22    "logs-windows.sysmon_operational-*",
23    "logs-sentinel_one_cloud_funnel.*",
24    "logs-m365_defender.event-*", 
25    "logs-endpoint.events.process-*", 
26    "logs-crowdstrike.fdr*"
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Potential Foxmail Exploitation"
31references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"]
32risk_score = 73
33rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa"
34severity = "high"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Initial Access",
40    "Tactic: Execution",
41    "Data Source: Elastic Defend",
42    "Data Source: Sysmon", 
43    "Data Source: System", 
44    "Data Source: Elastic Endgame",
45    "Data Source: SentinelOne",
46    "Data Source: Microsoft Defender for Endpoint",
47    "Data Source: Crowdstrike"
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and 
54 process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1203"
62name = "Exploitation for Client Execution"
63reference = "https://attack.mitre.org/techniques/T1203/"
64
65
66[rule.threat.tactic]
67id = "TA0002"
68name = "Execution"
69reference = "https://attack.mitre.org/tactics/TA0002/"
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1189"
74name = "Drive-by Compromise"
75reference = "https://attack.mitre.org/techniques/T1189/"
76
77
78[rule.threat.tactic]
79id = "TA0001"
80name = "Initial Access"
81reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top