Thursday, 7 February 2019

Threat Hunting #15 - Detecting Doc with Macro invoking WMI or SBW/SW COM Objects

In this post, we will be discussing how to detect two procedures an attacker can use to bypass existing standard/known detections for macro based office droppers:

Method 1 - WMI

MACRO invoking WMI to create a new process, which changes the execution flow from for instance winword.exe spawning cmd.exe to wmiprvse.exe spawning cmd.exe (winword.exe spawning nothing, thus bypassing standard detection rules):




During macro execution, winword.exe will load 4 WMI related modules, which is not very common and can be used to detect this technique:

  • C:\Windows\System32\wbem\wmiutils.dll
  • C:\Windows\System32\wbemcomn.dll
  • C:\Windows\System32\wbem\wbemdisp.dll
  • C:\Windows\System32\wbem\fastprox.dll




Detection with CBR EDR:

(process_name:winword.exe or process_name:excel.exe or process_name:powerpnt.exe) and modload:wmiutils.dll and modload: wbemcomn.dll and wbemdisp.dll and modload:fastprox.dll



Method 2: ShellBrowserWindow / ShellBrowser COM Objects

Macro code making use of the following COM objects:

  • ShellWindows (ClsID = {9BA05972-F6A8-11CF-A442-00A0C90A8F39})
  • ShellBrowserWindow (ClsID = {c08afd90-f2a1-11d1-8455-00a0c91f3880})

After macro execution, it's explorer.exe that will launch/spawn cmd.exe, which is extremely difficult to spot using regular detection [winword.exe spawned powershell.exe or cmd.exe or cscript etc.]



After the COM call, svchost.exe hosting the DCOMLaunch service will spawn an instance of rundll32.exe with the command line attribute referring to ShellBrowserWindows CLSID:



We can use the above traces, to create an EDR or sysmon detection rule:

CBR: 

process_name:rundll32.exe and (cmdline:*9BA05972\-F6A8\-11CF\-A442\-00A0C90A8F39* or cmdline:*c08afd90\-f2a1\-11d1\-8455\-00a0c91f3880*) and parent_name:svchost.exe



No comments:

Post a Comment