| ID | Technique | Tactic |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Initial Access |
Detection: Detect Outlook exe writing a zip file
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies the execution of outlook.exe writing a .zip file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.
Search
1
2| tstats prestats=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
3| `drop_dm_object_name(Processes)`
4| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
5| `drop_dm_object_name(Filesystem)`
6| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product file_access_time file_create_time file_hash file_modify_time file_name file_path file_acl file_size firstTime lastTime
7| stats values(action) as action values(parent_process) as parent_process values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(file_access_time) as file_access_time values(file_create_time) as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time values(file_name) as file_name values(file_path) as file_path values(file_acl) as file_acl values(file_size) as file_size by process_guid
8| where isnotnull(process) AND isnotnull(file_name)
9| `detect_outlook_exe_writing_a_zip_file_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 1 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Sysmon EventID 11 | Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| detect_outlook_exe_writing_a_zip_file_filter | search * |
detect_outlook_exe_writing_a_zip_file_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
DE.CM
CIS 13
APT1
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT38
APT39
APT41
Ajax Security Team
Andariel
BITTER
BRONZE BUTLER
BlackTech
CURIUM
Cobalt Group
Confucius
DarkHydrus
Darkhotel
Dragonfly
EXOTIC LILY
Elderwood
FIN4
FIN6
FIN7
FIN8
Ferocious Kitten
Gallmaker
Gamaredon Group
Gorgon Group
Higaisa
Inception
IndigoZebra
Kimsuky
Lazarus Group
LazyScripter
Leviathan
Machete
Malteiro
Mofang
Molerats
Moonstone Sleet
MuddyWater
Mustang Panda
Naikon
Nomadic Octopus
OilRig
PLATINUM
Patchwork
RTM
Rancor
RedCurl
Saint Bear
Sandworm Team
SideCopy
Sidewinder
Silence
Star Blizzard
TA2541
TA459
TA505
TA551
The White Company
Threat Group-3390
Tonto Team
Transparent Tribe
Tropic Trooper
WIRTE
Windshift
Winter Vivern
Wizard Spider
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.
Known False Positives
It is not uncommon for outlook to write legitimate zip files to the disk.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
ZIP file written by outlook.exe on $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 25 | No Threat Objects |
| dest | system | 25 | No Threat Objects |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | Not Applicable | N/A | N/A | N/A |
| Unit | ❌ Failing | N/A | N/A |
N/A |
| Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 11