EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: Potential sandbox evasion in Office file

Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks. Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.

MITRE ATT&CK

T1566.001T1204.002T1486T1036T1027T1059.005
defense-evasionexecution

Detection Query

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and any(file.explode(.),
                1 of (
                  any(.scan.strings.strings,
                      strings.ilike(., "*Win32_Processor*")
                  ),
                  any(.scan.strings.strings,
                      strings.ilike(., "*Win32_LogicalDisk*")
                  ),
                  any(.scan.strings.strings,
                      strings.ilike(., "*Win32_ComputerSystem*")
                  ),
                  any(.scan.strings.strings,
                      strings.ilike(., "*Win32_Process*")
                  ),
                  any(.scan.strings.strings,
                      strings.ilike(., "*LDAP://RootDSE*")
                  )
                )
        )
)

Author

ajpc500

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Attachment: Potential sandbox evasion in Office file"
description: |
  Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.

  Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.
references:
  - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src/SandBoxEvasion"
  - "https://delivr.to/payloads?id=6e8d282b-7608-4720-9277-fd4ba750aa9c"
type: "rule"
authors:
  - twitter: "ajpc500"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ $file_extensions_macros
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.explode(.),
                  1 of (
                    any(.scan.strings.strings,
                        strings.ilike(., "*Win32_Processor*")
                    ),
                    any(.scan.strings.strings,
                        strings.ilike(., "*Win32_LogicalDisk*")
                    ),
                    any(.scan.strings.strings,
                        strings.ilike(., "*Win32_ComputerSystem*")
                    ),
                    any(.scan.strings.strings,
                        strings.ilike(., "*Win32_Process*")
                    ),
                    any(.scan.strings.strings,
                        strings.ilike(., "*LDAP://RootDSE*")
                    )
                  )
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Macros"
detection_methods:
  - "File analysis"
  - "Macro analysis"
id: "1c591681-3f02-5d1e-be08-fc1e6793c68b"