Detect Wmiprvse.exe as parent in close proximity to Winword.exe startup

One of the TTPs for #Ursnif samples has been to use WMI classes to launch powershell.  This shows in the EDR as wmiprvse.exe as the parent of the malicious powershell process but it is not evident what initiated the process since the parent child relationship has been broken.  You probably already have a signature for the wmiprvse.exe as parent to powershell and the Word file containing the macro uses a detectable name format "info_10_1.doc".  It would be nice to fill in the attack chain a bit to speed up the analysis process.


One interesting method is to use the proximity of the winword.exe startup event to the wmiprvse.exe parent event.  This might seem like a good place for a Splunk transaction but I find them slow at times so I tend to use the Stats command where possible.


Detect Wmiprvse.exe as parent in close proximity to Winword.exe starting


  • The search line is using raw exe names just to speed up the search, the important part is finding winword.exe as the process and wmiprvse.exe as a parent. It was not necessary to specify powershell as the child of wmiprvse.
  • The bucket sets the window in which the events have to occur, in this case 1 minute.
  • Stats is gathering up the events by computer name and our 1 minute windows
  • Since we are looking for two different processes the events of interest will have to have both in them, hence the process count will be greater than one and winword needs to be one of the processes.

And that about does it. Running this back through time was reasonably fast and pulled in Winword opening up the info_10_1.doc and the malicious powershell launching.  There were a handful of tunes needed for a production environment that are not shown here.

Gaps:
In the case that winword was already open, this would not fire since it is looking for process starts.

Happy hunting.

---Update

@Ateixei had a nice tip on using match instead of like in where conditions that make it a bit cleaner as well as a tip to use parens to clean up the SPL. Here is the where condition version using match:

| where mvcount(process)>1 AND match(process,"(?i)winword\.exe")



References:

https://app.any.run/tasks/e2cc76c0-0551-496f-8830-65b4a5de6077/
https://attack.mitre.org/techniques/T1175/
https://www.bromium.com/how-ursnif-evades-detection/
https://twitter.com/ateixei/status/1179692764876955648


Comments

  1. computermobile.infoMay 13, 2020 at 8:06 PM

    This comment has been removed by the author.

    ReplyDelete
  2. computermobile.infoMay 13, 2020 at 8:11 PM

    WINWORD EXE Application Error in Windows 10 - Microsoft word is word processing software. The WINWORD EXE Application Error in Windows 10 is a common error affecting users using MS Office. This frustrating error can shut down or suspend your work unexpectedly. You need to make sure you have the latest Windows 10 updates. Run antivirus or anti-malware software to check for viruses or malware. Use the “End Process” from the task manager and restart the Winword.exe process. Repair Microsoft Office installation through the control panel. Uninstall and reinstall MS-Office. For more Information visit: Computer Mobile Info

    ReplyDelete
  3. Zero TrustJuly 5, 2020 at 5:54 PM

    The SolidWorks training focuses specifically on the user interface and quicker ways of accessing everyday features. In the last two versions (2016 & 2017) SOLIDWORKS has DRASTICALLY improved the user interface with the addition of breadcrumbs and cursor sensitive toolbars. So, if you are looking for solidworks training, look no further. We are here to assist you with your query.

    ReplyDelete

Post a Comment

Popular posts from this blog

Misleading extensions Xls.exe Doc.exe Pdf.exe

I get something out of twitter almost every day and it is not uncommon to see examples a few times before the realization sinks in that you are looking at a technique that needs a rule. These should fall under the ATT&CK framework as masquerading. I saw a tweet the other day that reminded me of a couple of signatures worth talking about. These misleading double extensions are not new but they never seem to go out of style. With modern EDRs it is an easy win. The malware filename ended in .xls.exe but lets expand that to include other office file types. index=edr ( doc OR docx OR xls OR xlsx OR pdf ) exe ( process_path=*.doc.exe OR process_path=*.docx.exe OR process_path=*.xls.exe OR process_path=*.xlsx.exe OR process_path=*.pdf.exe ) The sig is largely self explanatory, the tokenization allows for keyword search by breaking up the extension, and the process path stuff just anchors it all to the process name since these are pretty generic terms. Another tweet by blackor
Read more

Netconn from suspicious directories

Suspicious directories are an interesting topic and I am always on the lookout for them as a TTP.  The premise may be that directories like temp and downloads are already under review so some other directory should be used. That is fine for a while but once known it is easy to detect. The problem is noticing the unusual directory and adding it to your detection. I have no idea where I got most of these so if you have a post similar to this I will be happy to reference it. Number one is the recycle bin, nothing should run from here, be referenced from here and certainly not netconn. I also do a signature for $recycle.bin in the command line just to catch anything non-netconn related. These are locations to look for processes doing netconn.  Additional filtering is possible looking for activity from the root of these locations if you have a noisy one or it is a legit higher level path like C:\. A search query for only the root would look something like this: index=edr process_pa
Read more

Powershell DNS C2 Notes

I recently took a look at Powershell DNS C2 and found a couple of interesting things. The special case of DNS requests from powershell should be easy enough to identify using an EDR. Using splunk and stats just look for multiple remote port 53 occurrances from powershell. There will be a few but DNS c2 is noisy so a large limit can be used for filtering. Next I took a look at DNSCat https://github.com/lukebaggett/dnscat2-powershell Interestingly powershell does not make the dns request directly but spawns nslookup to do it. Easy enough to make a signature for that. Again, powershell calling nslookup will occur legitimately, but a large filter for occurrences will filter those out. index=edr powershell.exe nslookup.exe parent_path=*\\powershell.exe | stats values(command_line) count by computer_name parent_process_guid | where count>10 Next I went back to some old Oilrig samples which used DNS C2. Nothing new here, just multiple DNS requests directly from powershell. B
Read more