[Snort-sigs] Office documents with commands in metadata

Y M snort at outlook.com
Mon Jun 11 15:13:23 EDT 2018


Hi,

This an attempt to detect documents with executable commands (certutil and powershell) in their metadata, which are accessed via embedded VBScript. Lab-generated pcaps of malicious documents are available. I added these under indicator-compromise, but I'm not sure if this is the appropriate category. Oh, and I am not sure if this a good detection idea; more testing is needed.

# --------------------
# Date: 2018-06-10
# Title: Office files with executable commands in metadata
# Reference: Research
# Hashes:
#     - f5f9f7f800a1f637395f34255e9937a878612573acf61dd41e1022869683e5da (no metadata)
#     - f87837b933d0cda0b23c1b2be6a05db40d480fe87edd9494f026b351e571f6aa
#     - fd8a6da88cfb37a8a220f4c5fb5bebc6dc8800e844a8ba843200037c86790c26
# Tests: pcap
# Confidence: low
# Notes: Seen in documents with CobaltStrike beaconing

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|certutil "; within:command_depth; nocase; content:" http"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000115; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000116; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/440fae86/attachment.html>


More information about the Snort-sigs mailing list