Attachment: Potential Sandbox Evasion in Office File

Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.

Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.

Sublime rule (View on GitHub)

 1name: "Attachment: Potential Sandbox Evasion in Office File"
 2description: |
 3  Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.
 4
 5  Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.  
 6references:
 7  - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src/SandBoxEvasion"
 8  - "https://delivr.to/payloads?id=6e8d282b-7608-4720-9277-fd4ba750aa9c"
 9type: "rule"
10authors:
11  - twitter: "ajpc500"
12severity: "high"
13source: |
14  type.inbound
15  and any(attachments,
16          (
17            .file_extension in~ $file_extensions_macros
18            or (
19                .file_extension is null
20                and .file_type == "unknown"
21                and .content_type == "application/octet-stream"
22                and .size < 100000000
23            )
24          )
25          and any(file.explode(.),
26                  1 of (
27                    any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")),
28                    any(.scan.strings.strings, strings.ilike(., "*Win32_LogicalDisk*")),
29                    any(.scan.strings.strings, strings.ilike(., "*Win32_ComputerSystem*")),
30                    any(.scan.strings.strings, strings.ilike(., "*Win32_Process*")),
31                    any(.scan.strings.strings, strings.ilike(., "*LDAP://RootDSE*"))
32                  )
33          )
34  )  
35attack_types:
36  - "Malware/Ransomware"
37tactics_and_techniques:
38  - "Evasion"
39  - "Macros"
40detection_methods:
41  - "File analysis"
42  - "Macro analysis"
43id: "1c591681-3f02-5d1e-be08-fc1e6793c68b"
to-top