Pages

Thursday, 7 February 2019

Threat Hunting #15 - Detecting Doc with Macro invoking WMI or SBW/SW COM Objects

In this post, we will be discussing how to detect two procedures an attacker can use to bypass existing standard/known detections for macro based office droppers:

Method 1 - WMI

MACRO invoking WMI to create a new process, which changes the execution flow from for instance winword.exe spawning cmd.exe to wmiprvse.exe spawning cmd.exe (winword.exe spawning nothing, thus bypassing standard detection rules):




During macro execution, winword.exe will load 4 WMI related modules, which is not very common and can be used to detect this technique:

  • C:\Windows\System32\wbem\wmiutils.dll
  • C:\Windows\System32\wbemcomn.dll
  • C:\Windows\System32\wbem\wbemdisp.dll
  • C:\Windows\System32\wbem\fastprox.dll




Detection with CBR EDR:

(process_name:winword.exe or process_name:excel.exe or process_name:powerpnt.exe) and modload:wmiutils.dll and modload: wbemcomn.dll and wbemdisp.dll and modload:fastprox.dll



Method 2: ShellBrowserWindow / ShellBrowser COM Objects

Macro code making use of the following COM objects:

  • ShellWindows (ClsID = {9BA05972-F6A8-11CF-A442-00A0C90A8F39})
  • ShellBrowserWindow (ClsID = {c08afd90-f2a1-11d1-8455-00a0c91f3880})

After macro execution, it's explorer.exe that will launch/spawn cmd.exe, which is extremely difficult to spot using regular detection [winword.exe spawned powershell.exe or cmd.exe or cscript etc.]



After the COM call, svchost.exe hosting the DCOMLaunch service will spawn an instance of rundll32.exe with the command line attribute referring to ShellBrowserWindows CLSID:



We can use the above traces, to create an EDR or sysmon detection rule:

CBR: 

process_name:rundll32.exe and (cmdline:*9BA05972\-F6A8\-11CF\-A442\-00A0C90A8F39* or cmdline:*c08afd90\-f2a1\-11d1\-8455\-00a0c91f3880*) and parent_name:svchost.exe



4 comments:

  1. I guess I am the only one who comes here to share my very own experience guess what? I am using my laptop for almost the post 2 years.

    Kutools for Word Crack

    AVS Audio Editor Crack

    Muvizu Play Crack

    Betternet VPN Premium Crack

    ReplyDelete
  2. After reviewing numerous blog posts on the site,
    We really appreciate how your blog works.
    We've added it to your list of favorite sites, and we'll review it soon.
    Future. Also, check out my website and let us know what you think.
    You have done a great job. I appreciate your work, thank you for sharing.
    CrackBins Full Version Softwares Free Download
    Kutools for Word Crack

    ReplyDelete
  3. After reviewing some of the ads on your site,
    We really appreciate the way you write your blog.
    We've added it to our Bookmarks website list and we'll check back soon.
    Future. Also., check out my website and let us know what you think.
    You did a good job and worked hard. I appreciate your work, thanks for sharing.
    crackbins Full Version Softwares Free Download
    Kutools for Word Crack

    ReplyDelete
  4. I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 6 years, but I had no idea of solving some basic issues. I do not know how to Download Cracked Pro Softwares But thankfully, I recently visited a website named PCexe.org
    All Pro Cracked Softwares Download
    Betternet VPN Premium Crack
    PUBG PC Free Download Crack
    Letasoft Sound Booster Crack
    Latest Wondershare Recoverit Crack
    IDM Crack

    ReplyDelete