ID | Technique | Tactic |
---|---|---|
T1566.001 | Spearphishing Attachment | Initial Access |
Detection: Detect Outlook exe writing a zip file
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies the execution of outlook.exe
writing a .zip
file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.
Search
1
2| tstats prestats=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
3| `drop_dm_object_name(Processes)`
4| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
5| `drop_dm_object_name(Filesystem)`
6| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product file_access_time file_create_time file_hash file_modify_time file_name file_path file_acl file_size firstTime lastTime
7| stats values(action) as action values(parent_process) as parent_process values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(file_access_time) as file_access_time values(file_create_time) as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time values(file_name) as file_name values(file_path) as file_path values(file_acl) as file_acl values(file_size) as file_size by process_guid
8| where isnotnull(process) AND isnotnull(file_name)
9| `detect_outlook_exe_writing_a_zip_file_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Sysmon EventID 1 | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
|
Sysmon EventID 11 | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
Name | Value |
---|---|
security_content_summariesonly | summariesonly= summariesonly_config allow_old_summaries= oldsummaries_config fillnull_value= fillnull_config`` |
detect_outlook_exe_writing_a_zip_file_filter | search * |
detect_outlook_exe_writing_a_zip_file_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.
Known False Positives
It is not uncommon for outlook to write legitimate zip files to the disk.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
ZIP file written by outlook.exe on $dest$
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
user | user | 25 | No Threat Objects |
dest | system | 25 | No Threat Objects |
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ❌ Failing | N/A | N/A |
N/A |
Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 11