Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Sigma rule (View on GitHub)
1title: Suspicious Download from Office Domain
2id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
3status: test
4description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
5references:
6 - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
7 - https://twitter.com/mrd0x/status/1475085452784844803?s=12
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021-12-27
10modified: 2022-08-02
11tags:
12 - attack.command-and-control
13 - attack.t1105
14 - attack.t1608
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_download:
20 - Image|endswith:
21 - '\curl.exe'
22 - '\wget.exe'
23 - CommandLine|contains:
24 - 'Invoke-WebRequest'
25 - 'iwr '
26 - 'curl '
27 - 'wget '
28 - 'Start-BitsTransfer'
29 - '.DownloadFile('
30 - '.DownloadString('
31 selection_domains:
32 CommandLine|contains:
33 - 'https://attachment.outlook.live.net/owa/'
34 - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
35 condition: all of selection_*
36falsepositives:
37 - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
38level: high
References
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings