{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-project/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Excel","Microsoft Project","Visual FoxPro","Microsoft Schedule+"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","execution","initial-access","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the unusual behavior of Microsoft Excel spawning uncommon Microsoft application executables. Typically, Excel spawns internal Office-related processes. The execution of executables such as WINPROJ.EXE (Microsoft Project), FOXPROW.exe (Visual FoxPro), or SCHDPLUS.exe (Microsoft Schedule+) as child processes of Excel is uncommon in typical business workflows. Adversaries may exploit this behavior to disguise malicious activity, execute unauthorized code, or bypass application control measures. This tactic is relevant because Office applications are often leveraged as initial access or execution vectors due to their prevalence in enterprise environments. Detecting this parent-child process relationship can help identify suspicious behavior that may indicate malware execution, persistence mechanisms, or command and control activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or exploiting a vulnerability, to execute code within a trusted context like Microsoft Excel.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Excel's capabilities (e.g., macros, DDE) to execute a command.\u003c/li\u003e\n\u003cli\u003eThe command initiates the creation of an unusual child process.\u003c/li\u003e\n\u003cli\u003eExcel spawns WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe. This can be achieved using techniques like \u003ccode\u003eActivateMicrosoftApp()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process (e.g., WINPROJ.EXE) executes further malicious code.\u003c/li\u003e\n\u003cli\u003eThis code could download additional payloads, establish persistence, or perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to blend the activity by leveraging legitimate Microsoft processes.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve command and control, data exfiltration, or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, data theft, and system compromise. While the exact number of affected organizations is unknown, this technique can be used to target organizations of any size. The impact includes potential data breaches, financial losses, reputational damage, and disruption of normal business operations. As Microsoft Project (WINPROJ.EXE), Visual FoxPro (FOXPROW.exe), and Microsoft Schedule+ (SCHDPLUS.exe) are not commonly used, their presence as a child process of Excel is highly suspicious.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (Event ID 4688) to capture process creation events, a requirement for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect the anomalous parent-child process relationships.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where Excel spawns WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe, focusing on the context of the Excel process, command-line arguments, and subsequent network or file activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or uncommon applications.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe for suspicious traffic patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-excel-spawning-uncommon-apps/","summary":"Microsoft Excel spawning uncommon Microsoft application executables like WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe is anomalous and may indicate malicious activity, such as malware execution, persistence mechanisms, or command-and-control attempts.","title":"Excel Spawning Uncommon Microsoft Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-excel-spawning-uncommon-apps/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Project","version":"https://jsonfeed.org/version/1.1"}