![]() ![]() – The next in the sequence, we could see “Image” as WINWORD.EXE and TargetObject to be msdt.exe. Note: Here this could be other Office applications other than WORD as well. (Sysmon Event ID = 3) AND (Image contains WINWORD.exe) AND (Initiated = True) AND (DestinationIp = known malicious IP) (Sysmon Event ID = 3) AND (Image contains WINWORD.exe) AND (Initiated = True) However, you could have a detection rule with the combination of below: – For above event, it would be an overkill to create this rule. Rule Creation Logic for Word creating a network connection: Log 1: Below is sample log from our tests where WINWORD.EXE made a TCP connection to the attacker 192.168.1.130 at port 8000. – To check a host if it made the connection from event logs, you could check to see if the word made a connection to the target. This IOC could then be checked with known sources and blocked accordinly in your environment.From the above output, we can see that Target mode “External” with the Target as ! which is the attacker.Using the below grep, to find the Target. You should now have a folder with the extracted lsĭoc follina.doc _ follina.py nc64.exe README.mdīelow are the contents for tree _/ Review the file type and extract the contents using binwalk to understand the file follina.docįollina.doc: Zip archive data, at least v2.0 to binwalk -e follina.doc In this demo, I am using a Linux Mint machine.Obtain the malicious doc file that the user received and place it in an isolated VM.If you are a forensic investigator and would like to check if this exploit was targeting this vulnerability, here are some pointers: Later, you can see that notepad was opened on the Victim’s machine. ![]() Once the victim opens the file, Word will initiate a TCP connection to the attacker at port 8000.īelow is screenshot where traffic is seen initiated from the victim machine to the attacker’s machine.Now send the crafted file file to the victim.Note: For this to work in my build and version of Windows, I had to convert the word document to rtf format. pass command that needs to be executed on the victim machine (In this case sudo python3 follina-mod.py -p 8000 -i wlo1 -c “notepad” If a user opens the file, then it specified application mentioned by the attacker crafted in the malicious file will be executed in the Victim’s machine. An attacker could modify the user’s programs, settings, create accounts on the victim’s machine.īelow is POC where an attacker can craft a malicious document that has a command to be executed.An attacker could run arbitrary code on a victim’s device with the same privileges as the calling application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |