{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/excel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Excel","PowerPoint","Word"],"_cs_severities":["medium"],"_cs_tags":["xsl-script","com-interface","office-macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging the Microsoft.XMLDOM COM interface in Microsoft Office applications to execute malicious scripts. This technique involves embedding malicious JScript or VBScript within XSL transformations, which are then processed by Office applications like Word, Excel, PowerPoint, and Publisher. The exploitation begins when a user opens a specially crafted document. This campaign abuses legitimate functionalities for malicious purposes. This technique can be used for initial access, defense evasion, and execution of arbitrary code. The observed behavior includes the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e and the spawning of child processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious Office document.\u003c/li\u003e\n\u003cli\u003eThe user opens the document in Microsoft Word (winword.exe), Excel (excel.exe), PowerPoint (powerpnt.exe), or Publisher (mspub.exe).\u003c/li\u003e\n\u003cli\u003eThe Office application loads \u003ccode\u003emsxml3.dll\u003c/code\u003e to process XML content within the document.\u003c/li\u003e\n\u003cli\u003eThe document contains an embedded XSL script with malicious JScript or VBScript code.\u003c/li\u003e\n\u003cli\u003eThe XSL transformation is initiated, executing the embedded script via the COM interface.\u003c/li\u003e\n\u003cli\u003eThe script spawns a new process (cmd.exe, powershell.exe, or mshta.exe) to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process downloads and executes a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence, escalates privileges, and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, potentially compromising sensitive data and allowing attackers to gain initial access to the targeted system. This can result in data breaches, financial losses, and reputational damage. The scope of impact includes any Windows systems running vulnerable versions of Microsoft Office. If successful, the attacker can achieve persistence, perform lateral movement and compromise other systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;XSL Script Execution via COM\u0026rdquo; to your SIEM to detect the execution of hosted XSL scripts using the Microsoft.XMLDOM COM interface.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e by Microsoft Office applications and subsequent process creations to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unusual or unsigned child processes spawned by Microsoft Office applications to prevent malicious script execution.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments or clicking on links in phishing emails (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-xsl-script-execution-via-com/","summary":"Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.","title":"XSL Script Execution via COM Interface in Microsoft Office","url":"https://feed.craftedsignal.io/briefs/2024-01-xsl-script-execution-via-com/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Word","Excel","PowerPoint","Publisher","Access"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","windows","image_load","scheduled_task"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious image load (\u003ccode\u003etaskschd.dll\u003c/code\u003e) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document executes embedded macro code or exploits a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe macro or exploit leverages the Component Object Model (COM).\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., WINWORD.EXE) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library, providing access to the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThe COM interface is used to programmatically create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script, executable, or command-line instruction.\u003c/li\u003e\n\u003cli\u003eUpon execution, the payload achieves the attacker\u0026rsquo;s objective, such as establishing persistence, downloading additional malware, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Office Application Loading Task Scheduler DLL\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.\u003c/li\u003e\n\u003cli\u003eMonitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-image-load-office/","summary":"Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.","title":"Suspicious Image Load (taskschd.dll) from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Excel","MS Access","MS Publisher","PowerPoint","Word","Outlook"],"_cs_severities":["low"],"_cs_tags":["command-prompt","network-connection","windows","execution","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.\u003c/li\u003e\n\u003cli\u003eThe document or application contains a macro or script that initiates a cmd.exe process.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process is launched with arguments indicating script execution (\u003ccode\u003e/c\u003c/code\u003e, \u003ccode\u003e/k\u003c/code\u003e) and referencing a remote resource (e.g., a URL) or a local batch file.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with a disguised filename.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process executes the downloaded payload, initiating further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a command and control (C2) channel with a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of cmd.exe executions.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-cmd-network/","summary":"This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.","title":"Suspicious Command Prompt Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/"}],"language":"en","title":"CraftedSignal Threat Feed — Excel","version":"https://jsonfeed.org/version/1.1"}