Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Sigma rule (View on GitHub)
1title: Suspicious Download from Office Domain
2id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
3status: test
4description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
5references:
6 - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
7 - https://twitter.com/mrd0x/status/1475085452784844803?s=12
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021/12/27
10modified: 2022/08/02
11tags:
12 - attack.command_and_control
13 - attack.t1105
14 - attack.t1608
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_download:
20 - Image|endswith:
21 - '\curl.exe'
22 - '\wget.exe'
23 - CommandLine|contains:
24 - 'Invoke-WebRequest'
25 - 'iwr '
26 - 'curl '
27 - 'wget '
28 - 'Start-BitsTransfer'
29 - '.DownloadFile('
30 - '.DownloadString('
31 selection_domains:
32 CommandLine|contains:
33 - 'https://attachment.outlook.live.net/owa/'
34 - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
35 condition: all of selection_*
36falsepositives:
37 - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
38level: high
References
Related rules
- Curl Usage on Linux
- Finger.exe Suspicious Invocation
- Password Protected ZIP File Opened (Suspicious Filenames)
- PrintBrm ZIP Creation of Extraction
- Script Initiated Connection