Collect logs from infected machine.

{ "win": { "eventdata": { "originalFileName": "ExcelDna.xll", "image": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "product": "Excel-DNA Add-In Framework for Microsoft Excel", "imageLoaded": "C:\\\\Users\\\\chris\\\\Downloads\\\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\\\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6.xll", "description": "Excel-DNA Dynamic Link Library", "signed": "false", "signatureStatus": "Unavailable", "processGuid": "{ef5984a4-f69d-624b-dd04-000000000500}", "processId": "4976", "utcTime": "2022-04-05 07:58:40.494", "hashes": "SHA1=6B8F41B0BD35C0C4E6972A2C6B9D4ABEBF0861E9,MD5=8728DF136AF4050C1CE4E3C56E26B755,SHA256=8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6,IMPHASH=5E95C28CC2C318698383B346E766F577", "ruleName": "technique_id=T1137,technique_name=Office Application Startup", "company": "Govert van Drimmelen", "fileVersion": "1.1.0.3", "user": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "7", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Image loaded:\r\nRuleName: technique_id=T1137,technique_name=Office Application Startup\r\nUtcTime: 2022-04-05 07:58:40.494\r\nProcessGuid: {ef5984a4-f69d-624b-dd04-000000000500}\r\nProcessId: 4976\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nImageLoaded: C:\\Users\\chris\\Downloads\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6.xll\r\nFileVersion: 1.1.0.3\r\nDescription: Excel-DNA Dynamic Link Library\r\nProduct: Excel-DNA Add-In Framework for Microsoft Excel\r\nCompany: Govert van Drimmelen\r\nOriginalFileName: ExcelDna.xll\r\nHashes: SHA1=6B8F41B0BD35C0C4E6972A2C6B9D4ABEBF0861E9,MD5=8728DF136AF4050C1CE4E3C56E26B755,SHA256=8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6,IMPHASH=5E95C28CC2C318698383B346E766F577\r\nSigned: false\r\nSignature: -\r\nSignatureStatus: Unavailable\r\nUser: DESKTOP-PQKPK46\\chris\"", "version": "3", "systemTime": "2022-04-05T07:58:40.5829742Z", "eventRecordID": "14309", "threadID": "2924", "computer": "DESKTOP-PQKPK46", "task": "7", "processID": "1916", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }

<group name="malware_detection,fin7,"> <rule id="100002" level="0"> <if_sid>61609</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field> <description>Application $(win.eventdata.imageLoaded) loaded by excel.exe.</description> <mitre> <id>T1204</id> <id>T1137</id> </mitre> </rule> <rule id="100003" level="3"> <if_sid>100002</if_sid> <field name="win.eventdata.imageLoaded" type="pcre2">(?i)(.xll|.xla|.xlam)</field> <description>Add-in $(win.eventdata.originalFileName) loaded by excel.exe.</description> <mitre> <id>T1137</id> <id>T1137.001</id> </mitre> </rule> <rule id="100004" level="7"> <if_sid>100003</if_sid> <field name="win.eventdata.signed" type="pcre2">^false$</field> <description>Unsigned add-in $(win.eventdata.originalFileName) loaded by excel.exe. Possible malicious activity.</description> <mitre> <id>T1204</id> <id>T1204.002</id> <id>T1137</id> <id>T1137.001</id> </mitre> </rule> </group>

{ "win": { "eventdata": { "image": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "processGuid": "{ef5984a4-f69d-624b-dd04-000000000500}", "queryStatus": "0", "processId": "4976", "utcTime": "2022-04-05 07:58:50.837", "queryName": "physiciansofficenews.com", "queryResults": "::ffff:209.99.64.51;", "user": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "22", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-04-05 07:58:50.837\r\nProcessGuid: {ef5984a4-f69d-624b-dd04-000000000500}\r\nProcessId: 4976\r\nQueryName: physiciansofficenews.com\r\nQueryStatus: 0\r\nQueryResults: ::ffff:209.99.64.51;\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nUser: DESKTOP-PQKPK46\\chris\"", "version": "5", "systemTime": "2022-04-05T07:58:51.5395974Z", "eventRecordID": "14317", "threadID": "2932", "computer": "DESKTOP-PQKPK46", "task": "22", "processID": "1916", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }

<group name="malware_detection,fin7,"> <rule id="100005" level="0"> <if_sid>61600</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field> <field name="win.system.eventID" type="pcre2">^22$</field> <description>Excel made a network request.</description> </rule> <rule id="100006" level="15"> <if_sid>100005</if_sid> <field name="win.eventdata.queryName" type="pcre2">(?i)(physiciansofficenews.com|thechinastyle.com|divorceradio.com)</field> <description>Excel made a network request to JSSLoader dropper domains.</description> <mitre> <id>T1105</id> </mitre> </rule> </group>

{ "win": { "eventdata": { "image": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp", "parentProcessGuid": "{ef5984a4-2de5-624c-1402-000000000700}", "logonGuid": "{ef5984a4-0f92-624c-8023-030000000000}", "parentCommandLine": "\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE\\\"", "processGuid": "{ef5984a4-2f6a-624c-1c02-000000000700}", "logonId": "0x32380", "parentProcessId": "6820", "processId": "2144", "currentDirectory": "C:\\\\Users\\\\chris\\\\Documents\\\\", "utcTime": "2022-04-05 12:00:42.774", "hashes": "SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000", "parentImage": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "ruleName": "technique_id=T1137,technique_name=Office Application Startup", "commandLine": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp", "integrityLevel": "Medium", "user": "DESKTOP-PQKPK46\\\\chris", "terminalSessionId": "1", "parentUser": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "1", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Process Create:\r\nRuleName: technique_id=T1137,technique_name=Office Application Startup\r\nUtcTime: 2022-04-05 12:00:42.774\r\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\r\nProcessId: 2144\r\nImage: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nCurrentDirectory: C:\\Users\\chris\\Documents\\\r\nUser: DESKTOP-PQKPK46\\chris\r\nLogonGuid: {ef5984a4-0f92-624c-8023-030000000000}\r\nLogonId: 0x32380\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\r\nParentProcessGuid: {ef5984a4-2de5-624c-1402-000000000700}\r\nParentProcessId: 6820\r\nParentImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nParentCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\" \r\nParentUser: DESKTOP-PQKPK46\\chris\"", "version": "5", "systemTime": "2022-04-05T12:00:42.7834956Z", "eventRecordID": "19041", "threadID": "2888", "computer": "DESKTOP-PQKPK46", "task": "1", "processID": "1372", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }

<group name="malware_detection,fin7,"> <rule id="100007" level="0"> <if_sid>61603</if_sid> <field name="win.eventdata.parentImage" type="pcre2">(?i)excel.exe</field> <description>$(win.eventdata.image) Process launched by excel.</description> <mitre> <id>T1059</id> </mitre> </rule> <rule id="100008" level="7"> <if_sid>100007</if_sid> <field name="win.eventdata.image" type="pcre2">(?i).tmp</field> <description>$(win.eventdata.image) executable masquerading as a TMP file was launched by excel. Possible FIN7 JSSLoader execution.</description> <mitre> <id>T1036</id> <id>T1059</id> <id>T1059.005</id> </mitre> </rule> <rule id="100009" level="15"> <if_sid>100008</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)DNA</field> <description>$(win.eventdata.image) executable masquerading as a .TMP file launched by excel. DNA prefix is typically associated with FIN7 JSSLoader.</description> <mitre> <id>T1036</id> <id>T1059</id> <id>T1059.005</id> </mitre> </rule> </group>

DNAxxx running

{
"_index": "wazuh-archives-4.x-2022.04.05",
"_type": "_doc",
"_id": "v9C4-X8BHMy6u6Bix174",
"_version": 1,
"_score": null,
"_source": {
"agent": {
  "ip": "10.0.2.15",
  "name": "DESKTOP-PQKPK46",
  "id": "002"
},
"manager": {
  "name": "blaq-ThinkPad-T440"
},
"data": {
  "win": {
    "eventdata": {
      "image": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp",
      "signatureStatus": "Unavailable",
      "processGuid": "{ef5984a4-2f6a-624c-1c02-000000000700}",
      "processId": "2144",
      "utcTime": "2022-04-05 12:00:42.780",
      "hashes": "SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000",
      "ruleName": "technique_id=T1073,technique_name=DLL Side-Loading",
      "imageLoaded": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp",
      "signed": "false",
      "user": "DESKTOP-PQKPK46\\\\chris"
    },
    "system": {
      "eventID": "7",
      "keywords": "0x8000000000000000",
      "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
      "level": "4",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "opcode": "0",
      "message": "\"Image loaded:\r\nRuleName: technique_id=T1073,technique_name=DLL Side-Loading\r\nUtcTime: 2022-04-05 12:00:42.780\r\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\r\nProcessId: 2144\r\nImage: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nImageLoaded: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\r\nSigned: false\r\nSignature: -\r\nSignatureStatus: Unavailable\r\nUser: DESKTOP-PQKPK46\\chris\"",
      "version": "3",
      "systemTime": "2022-04-05T12:00:42.7850398Z",
      "eventRecordID": "19043",
      "threadID": "2888",
      "computer": "DESKTOP-PQKPK46",
      "task": "7",
      "processID": "1372",
      "severityValue": "INFORMATION",
      "providerName": "Microsoft-Windows-Sysmon"
    }
  }
},
"decoder": {
  "name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"7\",\"version\":\"3\",\"level\":\"4\",\"task\":\"7\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-05T12:00:42.7850398Z\",\"eventRecordID\":\"19043\",\"processID\":\"1372\",\"threadID\":\"2888\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-PQKPK46\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Image loaded:\\r\\nRuleName: technique_id=T1073,technique_name=DLL Side-Loading\\r\\nUtcTime: 2022-04-05 12:00:42.780\\r\\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\\r\\nProcessId: 2144\\r\\nImage: C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp\\r\\nImageLoaded: C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\\r\\nSigned: false\\r\\nSignature: -\\r\\nSignatureStatus: Unavailable\\r\\nUser: DESKTOP-PQKPK46\\\\chris\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1073,technique_name=DLL Side-Loading\",\"utcTime\":\"2022-04-05 12:00:42.780\",\"processGuid\":\"{ef5984a4-2f6a-624c-1c02-000000000700}\",\"processId\":\"2144\",\"image\":\"C:\\\\\\\\Users\\\\\\\\chris\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\DNAxxx.tmp\",\"imageLoaded\":\"C:\\\\\\\\Users\\\\\\\\chris\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\DNAxxx.tmp\",\"hashes\":\"SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\",\"signed\":\"false\",\"signatureStatus\":\"Unavailable\",\"user\":\"DESKTOP-PQKPK46\\\\\\\\chris\"}}}",
"input": {
  "type": "log"
},
"@timestamp": "2022-04-05T12:35:08.378Z",
"location": "EventChannel",
"id": "1649162108.2019574",
"timestamp": "2022-04-05T15:35:08.378+0300"
},
"fields": {
"@timestamp": [
  "2022-04-05T12:35:08.378Z"
],
"timestamp": [
  "2022-04-05T12:35:08.378Z"
]
},
"highlight": {
"agent.id": [
  "@kibana-highlighted-field@002@/kibana-highlighted-field@"
]
},
"sort": [
1649162108378
]
}

xrisbarney / Detecting-JSSLoader-with-Wazuh

Collect logs from infected machine. #1