back

Find sigma rule

Attack: User Execution: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

MITRE

Tactic

• execution

technique

• T1204.002

Test : Office Generic Payload Download

OS

• windows

Description:

This Test uses a VBA macro to launch Powershell which will download a file from a user defined web server. Required input agruments are c2_domain and file_name Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents. Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt

Executor

powershell

Sigma Rule

• proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)

• proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)

• proc_creation_win_powershell_susp_parent_process.yml (id: 754ed792-634f-40ae-b3bc-e0448d33f695)

• posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)

• posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)

• registry_set_office_trust_record_susp_location.yml (id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd)

• net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)

• net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

• image_load_office_vbadll_load.yml (id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9)

• proc_creation_win_office_susp_child_processes.yml (id: 438025f9-5856-4663-83f7-52f878a70a50)

• posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)

• posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)

• image_load_dll_dbghelp_dbgcore_susp_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)

back