Friday, 8 March 2019

Brute-forcing Password Protected Office Files - Forensic artifact

In this short post we will be showing an interesting artifact we've found on Office Alert event logs, and that can be useful for cases like insider investigation or similar situations involving an unauthorized person trying to open a password protected file from a machine you control.

Office Alert Logs can be found here:

%SystemRoot%\System32\Winevt\Logs\OAlerts.evtx

Or viewed directly from within EventViewer:




As an example, we've created a simple excel sheet with password protection:




if someone else try to open the file once or multiple times and supply incorrect password, this will trigger Office Alert eventid 300 with the following text:

The password you supplied is not correct. Verify that the CAPS LOCK key is off and be sure to use the correct capitalization.

The number of similar events is proportional to the number of failed access attempt (which may help understand the nature of those failures):



Unfortunately this Log dose not record the document name "Weird", but at least you have a solid evidence of such as action plus the timestamp you can correlate with other events.

Related Post:

https://blog.menasec.net/2019/02/threat-hunting-4-detecting-excelword.html

No comments:

Post a Comment