Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Sigma rule (View on GitHub)
1title: Suspicious Download from Office Domain
2id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
3status: experimental
4description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
5references:
6 - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
7 - https://twitter.com/mrd0x/status/1475085452784844803?s=12
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021/12/27
10modified: 2022/08/02
11tags:
12 - attack.command_and_control
13 - attack.t1105
14 - attack.t1608
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_download:
20 - Image|endswith:
21 - '\curl.exe'
22 - '\wget.exe'
23 - CommandLine|contains:
24 - 'Invoke-WebRequest'
25 - 'iwr '
26 - 'curl '
27 - 'wget '
28 - 'Start-BitsTransfer'
29 - '.DownloadFile('
30 - '.DownloadString('
31 selection_domains:
32 CommandLine|contains:
33 - 'https://attachment.outlook.live.net/owa/'
34 - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
35 condition: all of selection_*
36falsepositives:
37 - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
38level: high
References
Related rules
- Abusing IEExec To Download Payloads
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential COM Objects Download Cradles Usage - PS Script
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential DLL File Download Via PowerShell Invoke-WebRequest