Open xrisbarney opened 2 years ago
{ "win": { "eventdata": { "originalFileName": "ExcelDna.xll", "image": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "product": "Excel-DNA Add-In Framework for Microsoft Excel", "imageLoaded": "C:\\\\Users\\\\chris\\\\Downloads\\\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\\\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6.xll", "description": "Excel-DNA Dynamic Link Library", "signed": "false", "signatureStatus": "Unavailable", "processGuid": "{ef5984a4-f69d-624b-dd04-000000000500}", "processId": "4976", "utcTime": "2022-04-05 07:58:40.494", "hashes": "SHA1=6B8F41B0BD35C0C4E6972A2C6B9D4ABEBF0861E9,MD5=8728DF136AF4050C1CE4E3C56E26B755,SHA256=8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6,IMPHASH=5E95C28CC2C318698383B346E766F577", "ruleName": "technique_id=T1137,technique_name=Office Application Startup", "company": "Govert van Drimmelen", "fileVersion": "1.1.0.3", "user": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "7", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Image loaded:\r\nRuleName: technique_id=T1137,technique_name=Office Application Startup\r\nUtcTime: 2022-04-05 07:58:40.494\r\nProcessGuid: {ef5984a4-f69d-624b-dd04-000000000500}\r\nProcessId: 4976\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nImageLoaded: C:\\Users\\chris\\Downloads\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6.xll\r\nFileVersion: 1.1.0.3\r\nDescription: Excel-DNA Dynamic Link Library\r\nProduct: Excel-DNA Add-In Framework for Microsoft Excel\r\nCompany: Govert van Drimmelen\r\nOriginalFileName: ExcelDna.xll\r\nHashes: SHA1=6B8F41B0BD35C0C4E6972A2C6B9D4ABEBF0861E9,MD5=8728DF136AF4050C1CE4E3C56E26B755,SHA256=8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6,IMPHASH=5E95C28CC2C318698383B346E766F577\r\nSigned: false\r\nSignature: -\r\nSignatureStatus: Unavailable\r\nUser: DESKTOP-PQKPK46\\chris\"", "version": "3", "systemTime": "2022-04-05T07:58:40.5829742Z", "eventRecordID": "14309", "threadID": "2924", "computer": "DESKTOP-PQKPK46", "task": "7", "processID": "1916", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }
Done.
Rules
<group name="malware_detection,fin7,">
<rule id="100002" level="0">
<if_sid>61609</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field>
<description>Application $(win.eventdata.imageLoaded) loaded by excel.exe.</description>
<mitre>
<id>T1204</id>
<id>T1137</id>
</mitre>
</rule>
<rule id="100003" level="3">
<if_sid>100002</if_sid>
<field name="win.eventdata.imageLoaded" type="pcre2">(?i)(.xll|.xla|.xlam)</field>
<description>Add-in $(win.eventdata.originalFileName) loaded by excel.exe.</description>
<mitre>
<id>T1137</id>
<id>T1137.001</id>
</mitre>
</rule>
<rule id="100004" level="7">
<if_sid>100003</if_sid>
<field name="win.eventdata.signed" type="pcre2">^false$</field>
<description>Unsigned add-in $(win.eventdata.originalFileName) loaded by excel.exe. Possible malicious activity.</description>
<mitre>
<id>T1204</id>
<id>T1204.002</id>
<id>T1137</id>
<id>T1137.001</id>
</mitre>
</rule>
</group>
{ "win": { "eventdata": { "image": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "processGuid": "{ef5984a4-f69d-624b-dd04-000000000500}", "queryStatus": "0", "processId": "4976", "utcTime": "2022-04-05 07:58:50.837", "queryName": "physiciansofficenews.com", "queryResults": "::ffff:209.99.64.51;", "user": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "22", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-04-05 07:58:50.837\r\nProcessGuid: {ef5984a4-f69d-624b-dd04-000000000500}\r\nProcessId: 4976\r\nQueryName: physiciansofficenews.com\r\nQueryStatus: 0\r\nQueryResults: ::ffff:209.99.64.51;\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nUser: DESKTOP-PQKPK46\\chris\"", "version": "5", "systemTime": "2022-04-05T07:58:51.5395974Z", "eventRecordID": "14317", "threadID": "2932", "computer": "DESKTOP-PQKPK46", "task": "22", "processID": "1916", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }
Done
Rules
<group name="malware_detection,fin7,">
<rule id="100005" level="0">
<if_sid>61600</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field>
<field name="win.system.eventID" type="pcre2">^22$</field>
<description>Excel made a network request.</description>
</rule>
<rule id="100006" level="15">
<if_sid>100005</if_sid>
<field name="win.eventdata.queryName" type="pcre2">(?i)(physiciansofficenews.com|thechinastyle.com|divorceradio.com)</field>
<description>Excel made a network request to JSSLoader dropper domains.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
{ "win": { "eventdata": { "image": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp", "parentProcessGuid": "{ef5984a4-2de5-624c-1402-000000000700}", "logonGuid": "{ef5984a4-0f92-624c-8023-030000000000}", "parentCommandLine": "\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE\\\"", "processGuid": "{ef5984a4-2f6a-624c-1c02-000000000700}", "logonId": "0x32380", "parentProcessId": "6820", "processId": "2144", "currentDirectory": "C:\\\\Users\\\\chris\\\\Documents\\\\", "utcTime": "2022-04-05 12:00:42.774", "hashes": "SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000", "parentImage": "C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE", "ruleName": "technique_id=T1137,technique_name=Office Application Startup", "commandLine": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp", "integrityLevel": "Medium", "user": "DESKTOP-PQKPK46\\\\chris", "terminalSessionId": "1", "parentUser": "DESKTOP-PQKPK46\\\\chris" }, "system": { "eventID": "1", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Process Create:\r\nRuleName: technique_id=T1137,technique_name=Office Application Startup\r\nUtcTime: 2022-04-05 12:00:42.774\r\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\r\nProcessId: 2144\r\nImage: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nCurrentDirectory: C:\\Users\\chris\\Documents\\\r\nUser: DESKTOP-PQKPK46\\chris\r\nLogonGuid: {ef5984a4-0f92-624c-8023-030000000000}\r\nLogonId: 0x32380\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\r\nParentProcessGuid: {ef5984a4-2de5-624c-1402-000000000700}\r\nParentProcessId: 6820\r\nParentImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nParentCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\" \r\nParentUser: DESKTOP-PQKPK46\\chris\"", "version": "5", "systemTime": "2022-04-05T12:00:42.7834956Z", "eventRecordID": "19041", "threadID": "2888", "computer": "DESKTOP-PQKPK46", "task": "1", "processID": "1372", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }
Done
Rules
<group name="malware_detection,fin7,">
<rule id="100007" level="0">
<if_sid>61603</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)excel.exe</field>
<description>$(win.eventdata.image) Process launched by excel.</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
<rule id="100008" level="7">
<if_sid>100007</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i).tmp</field>
<description>$(win.eventdata.image) executable masquerading as a TMP file was launched by excel. Possible FIN7 JSSLoader execution.</description>
<mitre>
<id>T1036</id>
<id>T1059</id>
<id>T1059.005</id>
</mitre>
</rule>
<rule id="100009" level="15">
<if_sid>100008</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)DNA</field>
<description>$(win.eventdata.image) executable masquerading as a .TMP file launched by excel. DNA prefix is typically associated with FIN7 JSSLoader.</description>
<mitre>
<id>T1036</id>
<id>T1059</id>
<id>T1059.005</id>
</mitre>
</rule>
</group>
{
"_index": "wazuh-archives-4.x-2022.04.05",
"_type": "_doc",
"_id": "v9C4-X8BHMy6u6Bix174",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-PQKPK46",
"id": "002"
},
"manager": {
"name": "blaq-ThinkPad-T440"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp",
"signatureStatus": "Unavailable",
"processGuid": "{ef5984a4-2f6a-624c-1c02-000000000700}",
"processId": "2144",
"utcTime": "2022-04-05 12:00:42.780",
"hashes": "SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000",
"ruleName": "technique_id=T1073,technique_name=DLL Side-Loading",
"imageLoaded": "C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp",
"signed": "false",
"user": "DESKTOP-PQKPK46\\\\chris"
},
"system": {
"eventID": "7",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Image loaded:\r\nRuleName: technique_id=T1073,technique_name=DLL Side-Loading\r\nUtcTime: 2022-04-05 12:00:42.780\r\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\r\nProcessId: 2144\r\nImage: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nImageLoaded: C:\\Users\\chris\\AppData\\Local\\Temp\\DNAxxx.tmp\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\r\nSigned: false\r\nSignature: -\r\nSignatureStatus: Unavailable\r\nUser: DESKTOP-PQKPK46\\chris\"",
"version": "3",
"systemTime": "2022-04-05T12:00:42.7850398Z",
"eventRecordID": "19043",
"threadID": "2888",
"computer": "DESKTOP-PQKPK46",
"task": "7",
"processID": "1372",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"7\",\"version\":\"3\",\"level\":\"4\",\"task\":\"7\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-05T12:00:42.7850398Z\",\"eventRecordID\":\"19043\",\"processID\":\"1372\",\"threadID\":\"2888\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-PQKPK46\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Image loaded:\\r\\nRuleName: technique_id=T1073,technique_name=DLL Side-Loading\\r\\nUtcTime: 2022-04-05 12:00:42.780\\r\\nProcessGuid: {ef5984a4-2f6a-624c-1c02-000000000700}\\r\\nProcessId: 2144\\r\\nImage: C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp\\r\\nImageLoaded: C:\\\\Users\\\\chris\\\\AppData\\\\Local\\\\Temp\\\\DNAxxx.tmp\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nHashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\\r\\nSigned: false\\r\\nSignature: -\\r\\nSignatureStatus: Unavailable\\r\\nUser: DESKTOP-PQKPK46\\\\chris\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1073,technique_name=DLL Side-Loading\",\"utcTime\":\"2022-04-05 12:00:42.780\",\"processGuid\":\"{ef5984a4-2f6a-624c-1c02-000000000700}\",\"processId\":\"2144\",\"image\":\"C:\\\\\\\\Users\\\\\\\\chris\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\DNAxxx.tmp\",\"imageLoaded\":\"C:\\\\\\\\Users\\\\\\\\chris\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\DNAxxx.tmp\",\"hashes\":\"SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000\",\"signed\":\"false\",\"signatureStatus\":\"Unavailable\",\"user\":\"DESKTOP-PQKPK46\\\\\\\\chris\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-05T12:35:08.378Z",
"location": "EventChannel",
"id": "1649162108.2019574",
"timestamp": "2022-04-05T15:35:08.378+0300"
},
"fields": {
"@timestamp": [
"2022-04-05T12:35:08.378Z"
],
"timestamp": [
"2022-04-05T12:35:08.378Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@002@/kibana-highlighted-field@"
]
},
"sort": [
1649162108378
]
}
This issue will hold logs collected from the infected machines.