Suspicious Download from Office Domain

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1608` Stage Capabilities
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `all of selection_download`

or:
CommandLine|contains: '.DownloadFile('
CommandLine|contains: '.DownloadString('
CommandLine|contains: Invoke-WebRequest
CommandLine|contains: Start-BitsTransfer
CommandLine|contains: 'curl '
CommandLine|contains: 'iwr '
CommandLine|contains: 'wget '
Image|endswith: '\curl.exe'
Image|endswith: '\wget.exe'

Stage 2: `all of selection_domains`

or:
CommandLine|contains: 'https://attachment.outlook.live.net/owa/'
CommandLine|contains: 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`.DownloadFile(` corpus 3 (sigma 3) `.DownloadString(` corpus 3 (sigma 3) `Invoke-WebRequest` corpus 6 (sigma 6) `Start-BitsTransfer` corpus 2 (sigma 2) `curl` corpus 8 (sigma 8) `https://attachment.outlook.live.net/owa/` `https://onenoteonlinesync.onenote.com/onenoteonlinesync/` `iwr` corpus 8 (sigma 8) `wget` corpus 7 (sigma 7)
`Image`	ends_with	`\curl.exe` corpus 19 (sigma 19) `\wget.exe` corpus 6 (sigma 6)