Potential Arbitrary File Download Using Office Application

 1title: Potential Arbitrary File Download Using Office Application
 2id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
 3related:
 4    - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
 5      type: obsolete
 6status: test
 7description: Detects potential arbitrary file download using a Microsoft Office application
 8references:
 9    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
10    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
12    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
13author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
14date: 2022-05-17
15modified: 2023-06-22
16tags:
17    - attack.defense-evasion
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith:
25              - '\EXCEL.EXE'
26              - '\POWERPNT.EXE'
27              - '\WINWORD.exe'
28        - OriginalFileName:
29              - 'Excel.exe'
30              - 'POWERPNT.EXE'
31              - 'WinWord.exe'
32    selection_http:
33        CommandLine|contains:
34            - 'http://'
35            - 'https://'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

• Winword on LOLBAS

  

  Winword.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Powerpnt on LOLBAS

  

  Powerpnt.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Excel on LOLBAS

  

  Excel.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Unsanitized file validation leads to Malicious payload download via Office binaries.

  

  As a part of finding vulnerable endpoints to improve defence, I used to reckon legitimate binaries on any chance of masking for payload…

  
  Read More

Related rules

• Custom File Open Handler Executes PowerShell
• Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
• Findstr Launching .lnk File
• Indirect Command Execution From Script File Via Bash.EXE
• Indirect Inline Command Execution Via Bash.EXE