Name:Windows Spearphishing Attachment Connect To None MS Office Domain id:1cb40e15-cffa-45cc-abbd-e35884a49766 version:7 date:2025-02-10 author:Teoderick Contreras, Splunk status:production type:Hunting Description:The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise. Data_source:
-Sysmon EventID 22
search:`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:Windows Office document may contain legitimate url link other than MS office Domain. filter is needed References: -https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader -https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches:
: tags: analytic_story: - 'Spearphishing Attachments' - 'AsyncRAT' asset_type:Endpoint mitre_attack_id: - 'T1566.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
