sigmahighHunting

Potential Arbitrary File Download Using Office Application

Detects potential arbitrary file download using a Microsoft Office application

MITRE ATT&CK

defense-evasion

Detection Query

selection_img:
  - Image|endswith:
      - \EXCEL.EXE
      - \POWERPNT.EXE
      - \WINWORD.exe
  - OriginalFileName:
      - Excel.exe
      - POWERPNT.EXE
      - WinWord.exe
selection_http:
  CommandLine|contains:
    - http://
    - https://
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community

Created

2022-05-17

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1202

Raw Content

title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
    - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
      type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_http:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high