LAB 002: Detect a malicious macro

In this lab we are going to use the threat hunting platform to detect and analyse the execution of a malicious macro.

Anatomy of a spear phishing attack

A typical spear phishing attack is a targeted attack against one or more profiles of a company. Usually the email looks legit and sent from trusted domains that are not blocked by spam filters.

The email includes information specific to the target, including her/his name and role within the company. This increases radically the chances that the victim will open the email and will probably download the attachments. The file attached can be a variety of different file types, but, what we see them most, are the following file types the most recognized: Office documents (Microsoft and others) and PDF

Malicious macros

Malicious macro are often used as a vector to download malware on the target machine and create persistence to give attackers access to the target, move laterally, compromise the whole network and/or exfiltrate information.

MITRE ATT&CK reference

Setup

To detect possible malicious macros we are going to use the lightweight agents provided by Elastic: the Beats.

Beats used in this lab

  • WinLogBeat

  • AuditBeat

Check the "LAB001: Setup" if you did not do that yet

pageLAB 001:Setup

Attack

To create a simulation of a possible spear-phishing attack with a malicious attachment, we created a Word document containing a macro that is activated any time the document is opened.

we assume that the victim already downloaded the files.

We created a .docm file that contains two macros:

  • AutoExec

    • Runs cmd.exe

  • AutoOpen

    • Runs powershell.exe

Both macros are executed when the document is opened and look exactly like the one below.

Sub AutoExec()
'
' AutoExec Macro
'
'

Shell "C:\Windows\System32\cmd.exe"

End Sub
Sub AutoOpen()
'
' AutoOpen Macro
'
'

Shell "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
End Sub

The macro is pretty simple, nothing too advanced, but it helps us simulate a typical scenario that we see in most of the phishing attacks we analyse.

The document leverage the fact that the content is unreadable and the only way to read it, is to enable the Macro. This is due to the fact that Microsoft Word does not execute Macros if not specifically allowed by the user. Although the trick looks pretty lame, the idea is that soon or later somebody in the company will be tricked into opening the file, but we will be prepared for detecting the threat.

Let's launch the attack: We can simply open the document Financial-Plan-2019-DCODX.docm on our target machine (Windows VM).

Detection

We want to create a rule that will alert any time an Office document creates a new subprocess, via macros, that could lead to malicious actions. Sigma offers already a rule that does that for us.

Let's analyse it.

A list of possible Office files that we are interested in, could be the following

- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
- '*\POWERPNT.exe'
- '*\MSPUB.exe'
- '*\VISIO.exe'
- '*\OUTLOOK.EXE'

Each of the processes, have a way to execute commands on the system. Possible malicious actions will be executed using one or more of the following processes:

- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\scrcons.exe'
- '*\schtasks.exe'
- '*\regsvr32.exe'
- '*\hh.exe'
- '*\wmic.exe'
- '*\mshta.exe'
- '*\rundll32.exe'
- '*\msiexec.exe'
- '*\forfiles.exe'
- '*\scriptrunner.exe'
- '*\mftrace.exe'
- '*\AppVLP.exe'
- '*\svchost.exe'
...

The list is not exhaustive and can be expanded with more processes.

Kibana

A security analyst, must be able to dig in the complex amount of data that is continuously received from the monitored assets. If we want to manually filter the possible results in Kibana and investigate further, we can use the query:

(
process.parent.name : "WINWORD.EXE" or
process.parent.name : "EXCEL.EXE" or
process.parent.name : "POWERPNT.exe" or 
process.parent.name : "MSPUB.exe" or 
process.parent.name : "VISIO.exe"  or 
process.parent.name : "OUTLOOK.exe") and 
(process.name:"cmd.exe" or 
process.name:"powershell.exe" or 
process.name:"wscript.exe" or 
process.name:"cscript.exe" or 
process.name:"sh.exe" or 
process.name:"bash.exe" or 
process.name:"scrcons.exe" or process.name:"schtasks.exe" or 
process.name:"regsvr32.exe" or 
process.name:"hh.exe" or 
process.name:"wmic.exe" or 
process.name:"mshta.exe" or 
process.name:"mshta.exe" or 
process.name:"rundll32.exe" 
or process.name:"powershell.exe" or 
process.name:"msiexec.exe" or 
process.name:"forfiles.exe" or 
process.name:"scriptrunner.exe" or 
process.name:"mftrace.exe" or 
process.name:"AppVLP.exe" or 
process.name:"svchost.exe"
)

As a result, we can see all the processes that spawn a subprocess included in our list.

We can detect any word file that started cmd.exe

ElastAlert

Now that we know what we are looking for, and how to filter results in the Kibana dashboard, we can automate the full detection process, creating a rule in ElastAlert and receive the alerts in Slack any time a document launches a subprocess included in our list.

Let's create the rule

In this case we want to use the ElastAlert syntax to exactly match our processes. We choose querystring to specify the query

alert:
- "slack"
slack:
slack_webhook_url: "https://hooks.slack.com/services/TPD2N[..............]VSMBBFV5yn"
description: "Detect Malicious Office document" 
filter:
 - query:
    query_string:
      query: (process.parent.name:("WINWORD.EXE" OR "EXCEL.EXE"
        OR "POWERPNT.exe" OR "MSPUB.exe" OR "VISIO.exe" OR "OUTLOOK.EXE") AND
        process.name:("cmd.exe" OR "powershell.exe" OR "wscript.exe"
        OR "cscript.exe" OR "sh.exe" OR "bash.exe" OR "scrcons.exe" OR          "schtasks.exe" OR "regsvr32.exe" OR "hh.exe" OR "wmic.exe" OR
        "mshta.exe" OR "rundll32.exe" OR "msiexec.exe" OR "forfiles.exe" OR 
        "scriptrunner.exe" OR "mftrace.exe" OR "AppVLP.exe" OR "svchost.exe"))
index: auditbeat-*,winlogbeat-*
name: Office-macro-1
priority: 3
realert:
  seconds: 1
type: any

Slack channel alert

As soon as our rule matches, we should be able to our alerts in slack in the #threat-hunting channel

We can see that the rule works fine, matching the right patterns (WORD + powershell in this particular case)

The information logged will give us valuable information to conduct a screening on every machine where the file was downloaded.

Hash of the file:

Hashes: SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F

Name of the file:

ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\IEUser\Documents\Financial-Plan-2019-DCODX.docm" /o ""

Great! You successfully completed the second lab: Detect a malicious macro!

Interesting? For more info about the full course info@dcodx.com

Last updated