Attachment: Potential Sandbox Evasion in Office File
Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.
Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.
Sublime rule (View on GitHub)
1name: "Attachment: Potential Sandbox Evasion in Office File"
2description: |
3 Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.
4
5 Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.
6references:
7 - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src/SandBoxEvasion"
8 - "https://delivr.to/payloads?id=6e8d282b-7608-4720-9277-fd4ba750aa9c"
9type: "rule"
10authors:
11 - twitter: "ajpc500"
12severity: "high"
13source: |
14 type.inbound
15 and any(attachments,
16 (
17 .file_extension in~ $file_extensions_macros
18 or (
19 .file_extension is null
20 and .file_type == "unknown"
21 and .content_type == "application/octet-stream"
22 and .size < 100000000
23 )
24 )
25 and any(file.explode(.),
26 1 of (
27 any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")),
28 any(.scan.strings.strings, strings.ilike(., "*Win32_LogicalDisk*")),
29 any(.scan.strings.strings, strings.ilike(., "*Win32_ComputerSystem*")),
30 any(.scan.strings.strings, strings.ilike(., "*Win32_Process*")),
31 any(.scan.strings.strings, strings.ilike(., "*LDAP://RootDSE*"))
32 )
33 )
34 )
35attack_types:
36 - "Malware/Ransomware"
37tactics_and_techniques:
38 - "Evasion"
39 - "Macros"
40detection_methods:
41 - "File analysis"
42 - "Macro analysis"
43id: "1c591681-3f02-5d1e-be08-fc1e6793c68b"