<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Visual FoxPro - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/visual-foxpro/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 25 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/visual-foxpro/feed.xml" rel="self" type="application/rss+xml"/><item><title>Excel Spawning Uncommon Microsoft Applications</title><link>https://feed.craftedsignal.io/briefs/2024-01-excel-spawning-uncommon-apps/</link><pubDate>Thu, 25 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-excel-spawning-uncommon-apps/</guid><description>Microsoft Excel spawning uncommon Microsoft application executables like WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe is anomalous and may indicate malicious activity, such as malware execution, persistence mechanisms, or command-and-control attempts.</description><content:encoded><![CDATA[<p>This brief focuses on the unusual behavior of Microsoft Excel spawning uncommon Microsoft application executables. Typically, Excel spawns internal Office-related processes. The execution of executables such as WINPROJ.EXE (Microsoft Project), FOXPROW.exe (Visual FoxPro), or SCHDPLUS.exe (Microsoft Schedule+) as child processes of Excel is uncommon in typical business workflows. Adversaries may exploit this behavior to disguise malicious activity, execute unauthorized code, or bypass application control measures. This tactic is relevant because Office applications are often leveraged as initial access or execution vectors due to their prevalence in enterprise environments. Detecting this parent-child process relationship can help identify suspicious behavior that may indicate malware execution, persistence mechanisms, or command and control activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access, potentially through phishing or exploiting a vulnerability, to execute code within a trusted context like Microsoft Excel.</li>
<li>The attacker leverages Excel's capabilities (e.g., macros, DDE) to execute a command.</li>
<li>The command initiates the creation of an unusual child process.</li>
<li>Excel spawns WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe. This can be achieved using techniques like <code>ActivateMicrosoftApp()</code>.</li>
<li>The spawned process (e.g., WINPROJ.EXE) executes further malicious code.</li>
<li>This code could download additional payloads, establish persistence, or perform lateral movement within the network.</li>
<li>The attacker may attempt to blend the activity by leveraging legitimate Microsoft processes.</li>
<li>The final objective is to achieve command and control, data exfiltration, or deploy ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the execution of arbitrary code, data theft, and system compromise. While the exact number of affected organizations is unknown, this technique can be used to target organizations of any size. The impact includes potential data breaches, financial losses, reputational damage, and disruption of normal business operations. As Microsoft Project (WINPROJ.EXE), Visual FoxPro (FOXPROW.exe), and Microsoft Schedule+ (SCHDPLUS.exe) are not commonly used, their presence as a child process of Excel is highly suspicious.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (Event ID 4688) to capture process creation events, a requirement for the Sigma rules.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect the anomalous parent-child process relationships.</li>
<li>Investigate any instances where Excel spawns WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe, focusing on the context of the Excel process, command-line arguments, and subsequent network or file activity.</li>
<li>Implement application control policies to restrict the execution of unauthorized or uncommon applications.</li>
<li>Monitor network connections originating from WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe for suspicious traffic patterns.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lateral-movement</category><category>execution</category><category>initial-access</category><category>windows</category></item></channel></rss>