Winword (7adaeb79-087f-4d65-8f8f-d4689755b107)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files\Microsoft Office\root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office\Office16\winword.exe * C:\Program Files\Microsoft Office\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office\Office15\winword.exe * C:\Program Files\Microsoft Office\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office14\winword.exe * C:\Program Files\Microsoft Office\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_office_arbitrary_cli_download.yml * IOC: Suspicious Office application Internet/network traffic[Winword.exe - LOLBAS Project]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| TA505 (b3220638-6682-4a4e-ab64-e7dc4202a3f1) | Tidal Groups | Winword (7adaeb79-087f-4d65-8f8f-d4689755b107) | Tidal Software | 1 |