https://feed.craftedsignal.io/products/powerpoint/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 18:22:00 +0000https://feed.craftedsignal.io/briefs/2024-01-xsl-script-execution-via-com/Fri, 26 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-xsl-script-execution-via-com/Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.Attackers are increasingly leveraging the Microsoft.XMLDOM COM interface in Microsoft Office applications to execute malicious scripts. This technique involves embedding malicious JScript or VBScript within XSL transformations, which are then processed by Office applications like Word, Excel, PowerPoint, and Publisher. The exploitation begins when a user opens a specially crafted document. This campaign abuses legitimate functionalities for malicious purposes. This technique can be used for initial access, defense evasion, and execution of arbitrary code. The observed behavior includes the loading of msxml3.dll and the spawning of child processes.

Attack Chain

1. A user receives a phishing email containing a malicious Office document.
2. The user opens the document in Microsoft Word (winword.exe), Excel (excel.exe), PowerPoint (powerpnt.exe), or Publisher (mspub.exe).
3. The Office application loads msxml3.dll to process XML content within the document.
4. The document contains an embedded XSL script with malicious JScript or VBScript code.
5. The XSL transformation is initiated, executing the embedded script via the COM interface.
6. The script spawns a new process (cmd.exe, powershell.exe, or mshta.exe) to execute arbitrary commands.
7. The spawned process downloads and executes a payload from a remote server.
8. The payload establishes persistence, escalates privileges, and performs malicious activities such as data exfiltration or lateral movement.

Impact

Successful exploitation can lead to arbitrary code execution, potentially compromising sensitive data and allowing attackers to gain initial access to the targeted system. This can result in data breaches, financial losses, and reputational damage. The scope of impact includes any Windows systems running vulnerable versions of Microsoft Office. If successful, the attacker can achieve persistence, perform lateral movement and compromise other systems on the network.

Recommendation

• Deploy the Sigma rule “XSL Script Execution via COM” to your SIEM to detect the execution of hosted XSL scripts using the Microsoft.XMLDOM COM interface.
• Monitor for the loading of msxml3.dll by Microsoft Office applications and subsequent process creations to identify potential exploitation attempts.
• Implement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.
• Block the execution of unusual or unsigned child processes spawned by Microsoft Office applications to prevent malicious script execution.
• Educate users about the risks of opening suspicious attachments or clicking on links in phishing emails (T1566).

]]>mediumadvisoryxsl-scriptcom-interfaceoffice-macrohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.This detection rule identifies a suspicious image load (taskschd.dll) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the schtasks.exe utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.

Attack Chain

1. User opens a malicious Microsoft Office document (e.g., Word, Excel).
2. The document executes embedded macro code or exploits a vulnerability.
3. The macro or exploit leverages the Component Object Model (COM).
4. The Office application (e.g., WINWORD.EXE) loads the taskschd.dll library, providing access to the Task Scheduler service.
5. The COM interface is used to programmatically create a new scheduled task.
6. The scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.
7. The malicious payload could be a script, executable, or command-line instruction.
8. Upon execution, the payload achieves the attacker’s objective, such as establishing persistence, downloading additional malware, or compromising the system.

Impact

A successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.

Recommendation

• Deploy the Sigma rule “Office Application Loading Task Scheduler DLL” to your SIEM and tune for your environment to detect this specific activity.
• Enable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.
• Monitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule’s investigation guide.

]]>lowadvisorypersistenceexecutionwindowsimage_loadscheduled_taskhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.This detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.

Attack Chain

1. A user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.
2. The document or application contains a macro or script that initiates a cmd.exe process.
3. The cmd.exe process is launched with arguments indicating script execution (/c, /k) and referencing a remote resource (e.g., a URL) or a local batch file.
4. The cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.
5. The downloaded payload is saved to disk, often with a disguised filename.
6. The cmd.exe process executes the downloaded payload, initiating further malicious actions.
7. The malicious payload establishes a command and control (C2) channel with a remote server.
8. The attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.

Impact

Successful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.

Recommendation

• Enable process creation logging with command line arguments to capture the full context of cmd.exe executions.
• Monitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.
• Investigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.

]]>lowadvisorycommand-promptnetwork-connectionwindowsexecutioncommand-and-control