Working with a parent-child relationship
This topic addresses whether malware is delivered as a script in an email attachment or in a document.
We want to create a rule monitoring execution of some sort of script interpreter (executing scripts) originating from Microsoft Office application, that is, some document or email.
Rule
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Microsoft Office Application Invoked Script Interpreter [D0807]</name> <guid>4e9047f1-c506-4461-a2f3-a4e1db82ce48</guid> <category>Office</category> <os>Windows</os> <severity>77</severity> <mitreattackid>T1059.005,T1203</mitreattackid> <explanation>Malicious documents are one of the common techniques used for initial access. Adversaries commonly abuse features such as Macros or Add-Ins. For legacy versions of Microsoft Office public exploits are also available. Rule monitors following applications: Excel, Access, Outlook, PowerPoint and Word that are executing Windows Command Prompt, PowerShell, Windows Script Host or Microsoft HTML Application.</explanation> <benignCauses>Custom Office documents usually used for automation of tasks such as internal asset management. Various Legal Management Software suites that integrate with Microsoft Office can trigger this behavior.</benignCauses> <maliciousCauses>Malicious Microsoft Office document.</maliciousCauses> <recommendedActions>1. Investigate the process tree for any additional detections indicating suspicious activity. 2. Check the results of document analysis in ESET LiveGuard if available. 3. Investigate other detections on the same host. 4. Initiate the incident response process based on investigation outcome.</recommendedActions> </description> <definition> <parentprocess> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="excel.exe"/> <condition component="FileItem" property="FileName" condition="is" value="msaccess.exe"/> <condition component="FileItem" property="FileName" condition="is" value="outlook.exe"/> <condition component="FileItem" property="FileName" condition="is" value="powerpnt.exe"/> <condition component="FileItem" property="FileName" condition="is" value="winword.exe"/> </operator> </parentprocess> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="powershell.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="wscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> <condition component="FileItem" property="FileName" condition="is" value="mshta.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="powershell.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="wscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cmd.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="mshta.exe"/> </operator> </process> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
Things to notice in the rule example above:
1.We used process to identify the execution of the script interpreter and parentprocess to identify Microsoft Office application, so "Process executed by" is modeled by the process – parentprocess relation.