Potential Foxmail Exploitation

Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/29"
 3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 6min_stack_version = "8.13.0"
 7updated_date = "2024/09/17"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. 
13This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via 
14a malicious email.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-windows.*",
20    "endgame-*",
21    "logs-system.security*",
22    "logs-windows.sysmon_operational-*",
23    "logs-sentinel_one_cloud_funnel.*",
24    "logs-m365_defender.event-*", 
25    "logs-endpoint.events.process-*"
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Foxmail Exploitation"
30references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"]
31risk_score = 73
32rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa"
33severity = "high"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Initial Access",
39    "Tactic: Execution",
40    "Data Source: Elastic Defend",
41    "Data Source: Sysmon", 
42    "Data Source: System", 
43    "Data Source: Elastic Endgame",
44    "Data Source: SentinelOne",
45    "Data Source: Microsoft Defender for Endpoint"
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and 
52 process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
53
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1203"
61name = "Exploitation for Client Execution"
62reference = "https://attack.mitre.org/techniques/T1203/"
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1189"
73name = "Drive-by Compromise"
74reference = "https://attack.mitre.org/techniques/T1189/"
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top