Detection rules › Splunk
Detect Outlook exe writing a zip file
The following analytic identifies the execution of outlook.exe writing a .zip file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior can be significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Processes.process_name="outlook.exe" BY _time, Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: rename
rename
Stage 6: rename
rename
Stage 7: join
join type=inner (...)
Stage 8: table
table action, dest, file_name, file_path, firstTime, lastTime, malicious_id, original_file_name, outlook_id, parent_process, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_hash, process_id, process_integrity_level, process_name, process_path, user, user_id, vendor_product
Stage 9: where
where file_name!=""
Stage 10: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.action | eq |
|
Filesystem.file_path | eq |
|
Filesystem.file_path | in |
|
Processes.process_name | eq |
|
file_name | ne |
|