Analytics Story: Spearphishing Attachments
Description
Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.
Why it matters
Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email.
As most people know, these emails use fraudulent domains, email scraping, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely "automate" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.
While any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.
Following is a typical series of events, according to an article by Trend Micro:
- Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file
- The .lnk file executes a PowerShell script
- Powershell executes a reverse shell, rendering the exploit successful
As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as exfiltration, lateral movement, and persistence.
This Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Gdrive suspicious file sharing |
Phishing |
Hunting |
| Gsuite suspicious calendar invite |
Phishing |
Hunting |
| O365 Email Reported By Admin Found Malicious |
Phishing, Spearphishing Attachment, Spearphishing Link |
TTP |
| O365 Email Reported By User Found Malicious |
Phishing, Spearphishing Attachment, Spearphishing Link |
TTP |
| O365 Safe Links Detection |
Phishing, Spearphishing Attachment |
TTP |
| O365 Threat Intelligence Suspicious Email Delivered |
Phishing, Spearphishing Attachment, Spearphishing Link |
Anomaly |
| O365 ZAP Activity Detection |
Phishing, Spearphishing Attachment, Spearphishing Link |
Anomaly |
| Excel Spawning PowerShell |
Security Account Manager, OS Credential Dumping |
TTP |
| Excel Spawning Windows Script Host |
Security Account Manager, OS Credential Dumping |
TTP |
| MSHTML Module Load in Office Product |
Phishing, Spearphishing Attachment |
TTP |
| Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Document Creating Schedule Task |
Phishing, Spearphishing Attachment |
TTP |
| Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
| Office Document Spawned Child Process To Download |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning BITSAdmin |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Rundll32 with no DLL |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Wmic |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Writing cab or inf |
Phishing, Spearphishing Attachment |
TTP |
| Office Spawning Control |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Spawning MSDT |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning Cmd |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning PowerShell |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
| Detect Outlook exe writing a zip file |
Phishing, Spearphishing Attachment |
TTP |
| Detect RTLO In File Name |
Right-to-Left Override, Masquerading |
TTP |
| Detect RTLO In Process |
Right-to-Left Override, Masquerading |
TTP |
| Process Creating LNK file in Suspicious Location |
Phishing, Spearphishing Link |
TTP |
| Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
TTP |
| Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
| Windows Office Product Dropped Cab or Inf File |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Loaded MSHTML Module |
Phishing, Spearphishing Attachment |
Anomaly |
| Windows Office Product Loading Taskschd DLL |
Phishing, Spearphishing Attachment |
Anomaly |
| Windows Office Product Loading VBE7 DLL |
Phishing, Spearphishing Attachment |
Anomaly |
| Windows Office Product Spawned Child Process For Download |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Control |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Spawned MSDT |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Rundll32 With No DLL |
Phishing, Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Uncommon Process |
Phishing, Spearphishing Attachment |
TTP |
| Windows Phishing PDF File Executes URL Link |
Spearphishing Attachment, Phishing |
Anomaly |
| Windows RDP File Execution |
Spearphishing Attachment, Remote Desktop Protocol |
TTP |
| Windows RDPClient Connection Sequence Events |
External Remote Services |
Anomaly |
| Windows Spearphishing Attachment Connect To None MS Office Domain |
Spearphishing Attachment, Phishing |
Hunting |
| Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment, Phishing |
TTP |
Data Sources
References
Source: GitHub | Version: 1
Windows