Potential Foxmail Exploitation
Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/29"
3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2024/09/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory.
13This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via
14a malicious email.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-windows.*",
20 "endgame-*",
21 "logs-system.security*",
22 "logs-windows.sysmon_operational-*",
23 "logs-sentinel_one_cloud_funnel.*",
24 "logs-m365_defender.event-*",
25 "logs-endpoint.events.process-*"
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Foxmail Exploitation"
30references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"]
31risk_score = 73
32rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa"
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Initial Access",
39 "Tactic: Execution",
40 "Data Source: Elastic Defend",
41 "Data Source: Sysmon",
42 "Data Source: System",
43 "Data Source: Elastic Endgame",
44 "Data Source: SentinelOne",
45 "Data Source: Microsoft Defender for Endpoint"
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52 process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
53
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1203"
61name = "Exploitation for Client Execution"
62reference = "https://attack.mitre.org/techniques/T1203/"
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1189"
73name = "Drive-by Compromise"
74reference = "https://attack.mitre.org/techniques/T1189/"
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Suspicious MS Outlook Child Process
- Microsoft Management Console File from Unusual Path
- Potential WSUS Abuse for Lateral Movement
- ScreenConnect Server Spawning Suspicious Processes
- Suspicious ScreenConnect Client Child Process