In my last post, I talked about detecting several types of malicious Office documents using Sysmon. Just to recap, I pointed out three different categories of documents we could target with Sysmon events:
- Documents leveraging malicious macros to launch a command shell - either cmd.exe or PowerShell
- Documents with malicious scripts embedded as objects
- Documents that use malicious macros - or possibly leveraging an exploited vulnerability - to execute shellcode
The first two could be targeted fairly easily with Sysmon event ID 1: Process Creation. The third, however, can be a little trickier. Documents that attempt to execute shellcode - either through a malicious macro or an exploited vulnerability - can use a variety of techniques to achieve their goals. One example I thought would make a good use case is the Hancitor downloader.
This process works well for detecting Hancitor, but might not be as effective against other types of shellcode.
Hancitor Downloader Infection Chain
Although there have been some changes recently, Hancitor is traditionally delivered via email with either an attachment or an embedded link to a malicious document. The document contains heavily obfuscated macro code that will decode some shellcode, write it to memory, and then use one of several techniques to jump to shellcode. If we look at the module section of a typical Hancitor sample, we can see the legitimate Windows API calls it uses.
The macro includes several API definitions that aren't actually used to make analysis a little tougher.
This particular sample uses NtAllocateVirtualMemory to allocate a chunk of memory, NtWriteVirtualMemory to write the decoded shellcode to that newly allocated memory, and SHCreateThread to execute that shellcode. Other samples use slightly trickier approaches with functions that are less obvious, but the end result is the same.
Once the shellcode runs, it will use the typical RunPE process where a new process is created in a suspended state, memory with a malicious executable is mapped to that process, and then the new process is resumed. That is the behavior we'll be targeting with Sysmon.
Detecting Hancitor and Similar Malicious Office Docs with Sysmon
Similar to our process from part 1 of this post, we'll use a custom Sysmon configuration to target only Microsoft Word to eliminate some noise for testing purposes. This time, we'll add event ID 10: Process Accessed to the collected events.
<Sysmon schemaversion="3.30"> <!-- Capture all hashes --> <HashAlgorithms>md5</HashAlgorithms> <EventFiltering> <!-- Event ID 1 == Process Creation. --> <ProcessCreate onmatch="include"> <ParentImage condition="end with">winword.exe</ParentImage> </ProcessCreate> <!-- Event ID 2 == File Creation Time. --> <FileCreateTime onmatch="include"/> <!-- Event ID 3 == Network Connection. --> <NetworkConnect onmatch="include"/> <!-- Event ID 5 == Process Terminated. --> <ProcessTerminate onmatch="include"/> <!-- Event ID 6 == Driver Loaded.--> <DriverLoad onmatch="include"/> <!-- Event ID 7 == Image Loaded. --> <ImageLoad onmatch="include"/> <!-- Event ID 8 == CreateRemoteThread. --> <CreateRemoteThread onmatch="include"/> <!-- Event ID 9 == RawAccessRead. --> <RawAccessRead onmatch="include"/> <!-- Event ID 10 == ProcessAccess. --> <ProcessAccess onmatch="include"> <SourceImage condition="end with">winword.exe</SourceImage> </ProcessAccess> <!-- Event ID 11 == FileCreate. --> <FileCreate onmatch="include"/> <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. --> <RegistryEvent onmatch="include"/> <!-- Event ID 15 == FileStream Created. --> <FileCreateStreamHash onmatch="include"/> <!-- Event ID 17 == PipeEvent. --> <PipeEvent onmatch="include"/> </EventFiltering> </Sysmon>
Again we'll update Sysmon to use this new config with the command
Sysmon.exe -c <filename>.xml. Then we'll take a snapshot of our VM (because we're about to run the Hancitor sample) and open up the malicious document. This should go without saying, but make sure you're environment is sufficiently isolated and you can easily restore to a known clean state before running the sample.
Once we click "Enable Content" and allow the sample to run, we should start seeing some events in Sysmon.
Event ID 10 gives us some different fields we can use for our search. First, we're looking for the string "office" in the SourceImage field to target only Microsoft Office applications. We can't really use the TargetImage field because we won't know in advance (in most cases) which process will be targeted for injection. But, looking at the CallTrace field, you should notice an entry labeled "UNKNOWN". At some point in execution, there was a call that was not recognized. This isn't always malicious, but its a reasonable indicator for Office applications. We can build our search to look for those two pieces of information.
event_data.SourceImage: office AND event_data.CallTrace: unknown
And in my test environment, we can clearly see Hancitor's process injection.
Just for context, if we remove the CallTrace field from our search, we end up with ~170 results in the same time frame even with Word only running for a short period of time. I ran this search in a large production environment over a 30 day period as well and saw no false positives. So, once again we're left with a pretty high fidelity search that can be used to identify certain types of malicious Office documents that use shellcode for process injection.