Detection Series: #3 Detecting Phishing

Phishing is one of the top ways adversaries make an initial access into a targets network. One method is through a malicious document being emailed to a target then the user opening the file which then spawns a command line with a malicious command. Here the system can be taken over in seconds.

A rule that can do the following is useful

Parent Process is outlook

++

Child Process is office process

++

Office process has a scripting tool in its command line

Here are some queries adapted to several SIEMS and tools for you to utilize

Elastic
(process.parent.executable.text:*\\outlook.exe AND (process.executable.text:(*\\excel.exe OR *\\winword.exe OR *\\powerpnt.exe OR *\\mspub.exe) OR process.command_line.text:(*powershell.exe* OR *cmd.exe* OR *CScript.exe* OR *WScript.exe*)))

Qradar
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("ParentImage" ilike '%\outlook.exe') and (("Image" ilike '%\excel.exe' or "Image" ilike '%\winword.exe' or "Image" ilike '%\powerpnt.exe' or "Image" ilike '%\mspub.exe') or ("Process CommandLine" ilike '%powershell.exe%' or "Process CommandLine" ilike '%cmd.exe%' or "Process CommandLine" ilike '%CScript.exe%' or "Process CommandLine" ilike '%WScript.exe%'))

Splunk
source="WinEventLog:*" AND ((ParentImage="*\\outlook.exe") AND ((Image="*\\excel.exe" OR Image="*\\winword.exe" OR Image="*\\powerpnt.exe" OR Image="*\\mspub.exe") OR (CommandLine="*powershell.exe*" OR CommandLine="*cmd.exe*" OR CommandLine="*CScript.exe*" OR CommandLine="*WScript.exe*")))

Carbon Black
(parent_name:*\\outlook.exe AND (process_name:(*\\excel.exe OR *\\winword.exe OR *\\powerpnt.exe OR *\\mspub.exe) OR process_cmdline:(*powershell.exe* OR *cmd.exe* OR *CScript.exe* OR *WScript.exe*)))

AWS Open Search
(process.parent.executable.text:*\\outlook.exe AND (process.executable.text:(*\\excel.exe OR *\\winword.exe OR *\\powerpnt.exe OR *\\mspub.exe) OR process.command_line.text:(*powershell.exe* OR *cmd.exe* OR *CScript.exe* OR *WScript.exe*)))

Sumo Logic
(_sourceCategory=*windows* AND (ParentImage = "*\outlook.exe") AND (((Image = "*\excel.exe" OR Image = "*\winword.exe" OR Image = "*\powerpnt.exe" OR Image = "*\mspub.exe") OR (CommandLine = "*powershell.exe*" OR CommandLine = "*cmd.exe*" OR CommandLine = "*CScript.exe*" OR CommandLine = "*WScript.exe*"))))

Please see the link to the sigma rule here. Any crediting back to here is much appreciated

https://github.com/TripleAAACyberSecurity/SIGMA_Detections/blob/main/3%20Outlook%20Spawning%20and%20Office%20process%20with%20Suspicious%20Command%20line.yml