Analytics Story: Spearphishing Attachments

Date: 2019-04-29 ID: 57226b40-94f3-4ce5-b101-a75f67759c27 Author: Splunk Research Team, Splunk Product: Splunk Enterprise Security

Description

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

Why it matters

Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email. As most people know, these emails use fraudulent domains, email scraping, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely "automate" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. While any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. Following is a typical series of events, according to an article by Trend Micro:

  1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file
  2. The .lnk file executes a PowerShell script
  3. Powershell executes a reverse shell, rendering the exploit successful
As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as exfiltration, lateral movement, and persistence. This Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Gdrive suspicious file sharing Phishing Hunting
Gsuite suspicious calendar invite Phishing Hunting
O365 Email Reported By Admin Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Email Reported By User Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Safe Links Detection Spearphishing Attachment TTP
O365 Threat Intelligence Suspicious Email Delivered Spearphishing Attachment, Spearphishing Link Anomaly
O365 ZAP Activity Detection Spearphishing Attachment, Spearphishing Link Anomaly
Excel Spawning PowerShell Security Account Manager TTP
Excel Spawning Windows Script Host Security Account Manager TTP
MSHTML Module Load in Office Product Spearphishing Attachment TTP
Office Application Spawn rundll32 process Spearphishing Attachment TTP
Office Document Creating Schedule Task Spearphishing Attachment TTP
Office Document Executing Macro Code Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Spearphishing Attachment TTP
Office Product Spawning BITSAdmin Spearphishing Attachment TTP
Office Product Spawning CertUtil Spearphishing Attachment TTP
Office Product Spawning MSHTA Spearphishing Attachment TTP
Office Product Spawning Rundll32 with no DLL Spearphishing Attachment TTP
Office Product Spawning Windows Script Host Spearphishing Attachment TTP
Office Product Spawning Wmic Spearphishing Attachment TTP
Office Product Writing cab or inf Spearphishing Attachment TTP
Office Spawning Control Spearphishing Attachment TTP
Windows Office Product Spawning MSDT Spearphishing Attachment TTP
Winword Spawning Cmd Spearphishing Attachment TTP
Winword Spawning PowerShell Spearphishing Attachment TTP
Winword Spawning Windows Script Host Spearphishing Attachment TTP
Detect Outlook exe writing a zip file Spearphishing Attachment TTP
Detect RTLO In File Name Right-to-Left Override TTP
Detect RTLO In Process Right-to-Left Override TTP
Process Creating LNK file in Suspicious Location Spearphishing Link TTP
Windows ConHost with Headless Argument Hidden Window, Run Virtual Instance TTP
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Office Product Dropped Cab or Inf File Spearphishing Attachment TTP
Windows Office Product Loaded MSHTML Module Spearphishing Attachment Anomaly
Windows Office Product Loading Taskschd DLL Spearphishing Attachment Anomaly
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows Office Product Spawned Child Process For Download Spearphishing Attachment TTP
Windows Office Product Spawned Control Spearphishing Attachment TTP
Windows Office Product Spawned MSDT Spearphishing Attachment TTP
Windows Office Product Spawned Rundll32 With No DLL Spearphishing Attachment TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Phishing PDF File Executes URL Link Spearphishing Attachment Anomaly
Windows RDP File Execution Spearphishing Attachment, Remote Desktop Protocol TTP
Windows RDPClient Connection Sequence Events External Remote Services Anomaly
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment Hunting
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 Windows icon Windows WinEventLog WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1