Analytics Story: Spearphishing Attachments

Date: 2019-04-29 ID: 57226b40-94f3-4ce5-b101-a75f67759c27 Author: Splunk Research Team, Splunk Product: Splunk Enterprise Security

Description

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

Why it matters

Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email. As most people know, these emails use fraudulent domains, email scraping, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely "automate" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. While any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. Following is a typical series of events, according to an article by Trend Micro:

  1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file
  2. The .lnk file executes a PowerShell script
  3. Powershell executes a reverse shell, rendering the exploit successful
As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as exfiltration, lateral movement, and persistence. This Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Gdrive suspicious file sharing Phishing Hunting
Gsuite suspicious calendar invite Phishing Hunting
O365 Email Reported By Admin Found Malicious Phishing, Spearphishing Attachment, Spearphishing Link TTP
O365 Email Reported By User Found Malicious Phishing, Spearphishing Attachment, Spearphishing Link TTP
O365 Safe Links Detection Phishing, Spearphishing Attachment TTP
O365 Threat Intelligence Suspicious Email Delivered Phishing, Spearphishing Attachment, Spearphishing Link Anomaly
O365 ZAP Activity Detection Phishing, Spearphishing Attachment, Spearphishing Link Anomaly
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Detect RTLO In File Name Right-to-Left Override, Masquerading TTP
Detect RTLO In Process Right-to-Left Override, Masquerading TTP
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping TTP
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping TTP
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Creating Schedule Task Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment TTP
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Office Product Spawning Wmic Phishing, Spearphishing Attachment TTP
Office Product Writing cab or inf Phishing, Spearphishing Attachment TTP
Office Spawning Control Phishing, Spearphishing Attachment TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Windows ConHost with Headless Argument Hidden Window, Run Virtual Instance TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Office Product Spawning MSDT Phishing, Spearphishing Attachment TTP
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Anomaly
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment, Phishing Hunting
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment, Phishing TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1