# LAB 002: Detect a malicious macro ## Anatomy of a spear phishing attack A typical spear phishing attack is a targeted attack against one or more profiles of a company. Usually the email looks legit and sent from trusted domains that are not blocked by spam filters. The email includes information specific to the target, including her/his name and role within the company. This increases radically the chances that the victim will open the email and will probably download the attachments. The file attached can be a variety of different file types, but, what we see them most, are the following file types the most recognized: Office documents (Microsoft and others) and PDF ### Malicious macros Malicious macro are often used as a vector to download malware on the target machine and create persistence to give attackers access to the target, move laterally, compromise the whole network and/or exfiltrate information. MITRE ATT\&CK reference {% embed url="" %} ### Setup To detect possible malicious macros we are going to use the lightweight agents provided by Elastic: the Beats. #### Beats used in this lab * WinLogBeat * AuditBeat Check the "LAB001: Setup" if you did not do that yet {% content-ref url="/pages/-LrSps--BzydomkpPn7S" %} [LAB 001:Setup](/trainings/workshop-threat-hunting-with-belk-stack/lab-001-setup.md) {% endcontent-ref %} ### Attack To create a simulation of a possible spear-phishing attack with a malicious attachment, we created a Word document containing a macro that is activated any time the document is opened. {% hint style="warning" %} we assume that the victim already downloaded the files. {% endhint %} We created a `.docm` file that contains two macros: * AutoExec * Runs `cmd.exe` * AutoOpen * Runs `powershell.exe` Both macros are executed when the document is opened and look exactly like the one below. ```bash Sub AutoExec() ' ' AutoExec Macro ' ' Shell "C:\Windows\System32\cmd.exe" End Sub Sub AutoOpen() ' ' AutoOpen Macro ' ' Shell "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" End Sub ``` The macro is pretty simple, nothing too advanced, but it helps us simulate a typical scenario that we see in most of the phishing attacks we analyse. ![](/files/-LrZmWX_gRQKWkiSTsGD) The document leverage the fact that the content is unreadable and the only way to read it, is to enable the Macro. This is due to the fact that Microsoft Word does not execute Macros if not specifically allowed by the user. Although the trick looks pretty lame, the idea is that soon or later somebody in the company will be tricked into opening the file, but we will be prepared for detecting the threat. {% hint style="info" %} Let's launch the attack: We can simply open the document [Financial-Plan-2019-DCODX.docm](https://app.gitbook.com/s/-LpsUccoL9AvW9-dz-sO/trainings/workshop-threat-hunting-with-belk-stack/Financial-Plan-2019-DCODX.docm) on our target machine (Windows VM). {% endhint %} {% file src="/files/-LrZiTy8PuLXqjlp5fRh" %} Financial Plan 2019 DCODX {% endfile %} ### Detection We want to create a rule that will alert any time an Office document creates a new subprocess, via macros, that could lead to malicious actions. **Sigma** offers already a rule that does that for us. {% embed url="" %} {% hint style="success" %} Let's analyse it. {% endhint %} A list of possible Office files that we are interested in, could be the following ``` - '*\WINWORD.EXE' - '*\EXCEL.EXE' - '*\POWERPNT.exe' - '*\MSPUB.exe' - '*\VISIO.exe' - '*\OUTLOOK.EXE' ``` Each of the processes, have a way to execute commands on the system. Possible malicious actions will be executed using one or more of the following processes: ``` - '*\cmd.exe' - '*\powershell.exe' - '*\wscript.exe' - '*\cscript.exe' - '*\sh.exe' - '*\bash.exe' - '*\scrcons.exe' - '*\schtasks.exe' - '*\regsvr32.exe' - '*\hh.exe' - '*\wmic.exe' - '*\mshta.exe' - '*\rundll32.exe' - '*\msiexec.exe' - '*\forfiles.exe' - '*\scriptrunner.exe' - '*\mftrace.exe' - '*\AppVLP.exe' - '*\svchost.exe' ... ``` {% hint style="info" %} The list is not exhaustive and can be expanded with more processes. {% endhint %} #### Kibana A security analyst, must be able to dig in the complex amount of data that is continuously received from the monitored assets. If we want to manually filter the possible results in Kibana and investigate further, we can use the query: ``` ( process.parent.name : "WINWORD.EXE" or process.parent.name : "EXCEL.EXE" or process.parent.name : "POWERPNT.exe" or process.parent.name : "MSPUB.exe" or process.parent.name : "VISIO.exe" or process.parent.name : "OUTLOOK.exe") and (process.name:"cmd.exe" or process.name:"powershell.exe" or process.name:"wscript.exe" or process.name:"cscript.exe" or process.name:"sh.exe" or process.name:"bash.exe" or process.name:"scrcons.exe" or process.name:"schtasks.exe" or process.name:"regsvr32.exe" or process.name:"hh.exe" or process.name:"wmic.exe" or process.name:"mshta.exe" or process.name:"mshta.exe" or process.name:"rundll32.exe" or process.name:"powershell.exe" or process.name:"msiexec.exe" or process.name:"forfiles.exe" or process.name:"scriptrunner.exe" or process.name:"mftrace.exe" or process.name:"AppVLP.exe" or process.name:"svchost.exe" ) ``` As a result, we can see all the processes that spawn a subprocess included in our list. ![](/files/-LrZiuiXDdFXXEv5Tt1K) We can detect any word file that started cmd.exe #### ElastAlert Now that we know what we are looking for, and how to filter results in the Kibana dashboard, we can automate the full detection process, creating a rule in ElastAlert and receive the alerts in Slack any time a document launches a subprocess included in our list. {% hint style="info" %} Let's create the rule {% endhint %} In this case we want to use the ElastAlert syntax to exactly match our processes. We choose `querystring` to specify the query ```yaml alert: - "slack" slack: slack_webhook_url: "https://hooks.slack.com/services/TPD2N[..............]VSMBBFV5yn" description: "Detect Malicious Office document" filter: - query: query_string: query: (process.parent.name:("WINWORD.EXE" OR "EXCEL.EXE" OR "POWERPNT.exe" OR "MSPUB.exe" OR "VISIO.exe" OR "OUTLOOK.EXE") AND process.name:("cmd.exe" OR "powershell.exe" OR "wscript.exe" OR "cscript.exe" OR "sh.exe" OR "bash.exe" OR "scrcons.exe" OR "schtasks.exe" OR "regsvr32.exe" OR "hh.exe" OR "wmic.exe" OR "mshta.exe" OR "rundll32.exe" OR "msiexec.exe" OR "forfiles.exe" OR "scriptrunner.exe" OR "mftrace.exe" OR "AppVLP.exe" OR "svchost.exe")) index: auditbeat-*,winlogbeat-* name: Office-macro-1 priority: 3 realert: seconds: 1 type: any ``` #### Slack channel alert As soon as our rule matches, we should be able to our alerts in slack in the #threat-hunting channel ![](/files/-LrZjCxWiq7p9ZQ5CxBN) We can see that the rule works fine, matching the right patterns (WORD + powershell in this particular case) ![](/files/-LrZjJFvfrbZQ94rNbqn) The information logged will give us valuable information to conduct a screening on every machine where the file was downloaded. Hash of the file: `Hashes: SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F` Name of the file: `ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\IEUser\Documents\Financial-Plan-2019-DCODX.docm" /o ""` {% hint style="success" %} Great! You successfully completed the second lab: Detect a malicious macro! {% endhint %} {% hint style="info" %} Interesting? For more info about the full course **** {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://1337.dcodx.com/trainings/workshop-threat-hunting-with-belk-stack/lab-002-detect-malicious-macro-malware.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.