Potential Arbitrary File Download Using Office Application

calendar Oct 18, 2023 · attack.defense_evasion attack.t1202  ·
Share on: linkedin copy

Detects potential arbitrary file download using a Microsoft Office application

Sigma rule (View on GitHub)

 1title: Potential Arbitrary File Download Using Office Application
 2id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
 3related:
 4    - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
 5      type: obsoletes
 6status: experimental
 7description: Detects potential arbitrary file download using a Microsoft Office application
 8references:
 9    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
10    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
12    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
13author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
14date: 2022/05/17
15modified: 2023/06/22
16tags:
17    - attack.defense_evasion
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith:
25              - '\EXCEL.EXE'
26              - '\POWERPNT.EXE'
27              - '\WINWORD.exe'
28        - OriginalFileName:
29              - 'Excel.exe'
30              - 'POWERPNT.EXE'
31              - 'WinWord.exe'
32    selection_http:
33        CommandLine|contains:
34            - 'http://'
35            - 'https://'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

  • Winword | LOLBAS

    Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...


    Read More

  • Powerpnt | LOLBAS

    Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...


    Read More

  • Excel | LOLBAS

    Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...


    Read More

  • Unsanitized file validation leads to Malicious payload download via Office binaries.

    As a part of finding vulnerable endpoints to improve defence, I used to reckon legitimate binaries on any chance of masking for payload…


    Read More

Related rules

to-top