Windows Office Product Dropped Cab or Inf File

Author: Michael Haag, Splunk
Source: upstream

The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1566.001` Phishing: Spearphishing Attachment

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	11	FileCreate
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `tstats`

tstats WHERE (Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OUTLOOK.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe") OR Processes.process_name IN ("EQNEDT32.exe", "Graph.exe", "excel.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe")) BY _time, Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product

Stage 2: `search`

search

Stage 3: `rename`

rename

Stage 4: `join`

join type=inner (...)

Stage 5: `dedup`

dedup file_create_time

Stage 6: `table`

table dest, file_create_time, file_name, file_path, proc_guid, process, process_name

Stage 7: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Filesystem.file_name`	in	`".cab"` `".inf"`
`Processes.original_file_name`	in	`"EQNEDT32.EXE"` corpus 2 (splunk 2) `"Excel.exe"` corpus 2 (splunk 2) `"Graph.exe"` corpus 2 (splunk 2) `"MSACCESS.EXE"` corpus 2 (splunk 2) `"MSPUB.EXE"` corpus 2 (splunk 2) `"OUTLOOK.EXE"` corpus 2 (splunk 2) `"OneNote.exe"` corpus 2 (splunk 2) `"OneNoteIm.exe"` corpus 2 (splunk 2) `"OneNoteM.exe"` corpus 2 (splunk 2) `"POWERPNT.EXE"` corpus 2 (splunk 2) `"VISIO.EXE"` corpus 2 (splunk 2) `"WinProj.exe"` corpus 2 (splunk 2) `"WinWord.exe"` corpus 2 (splunk 2)
`Processes.process_name`	in	`"EQNEDT32.exe"` corpus 5 (splunk 5) `"Graph.exe"` corpus 5 (splunk 5) `"excel.exe"` corpus 5 (splunk 5) `"msaccess.exe"` corpus 5 (splunk 5) `"mspub.exe"` corpus 5 (splunk 5) `"onenote.exe"` corpus 5 (splunk 5) `"onenoteim.exe"` corpus 5 (splunk 5) `"onenotem.exe"` corpus 5 (splunk 5) `"outlook.exe"` corpus 5 (splunk 5) `"powerpnt.exe"` corpus 5 (splunk 5) `"visio.exe"` corpus 5 (splunk 5) `"winproj.exe"` corpus 5 (splunk 5) `"winword.exe"` corpus 5 (splunk 5) `"wordpad.exe"` corpus 3 (splunk 3) `"wordview.exe"` corpus 3 (splunk 3)

Windows Office Product Dropped Cab or Inf File

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: rename

Stage 4: join

Stage 5: dedup

Stage 6: table

Stage 7: search