Skip to content

Latest commit

 

History

History
49 lines (39 loc) · 3 KB

T1566.001_Spearphishing_Attachment.md

File metadata and controls

49 lines (39 loc) · 3 KB
Raw

Spearphishing Attachment [T1566.001]

As a method of entry into an organization, an adversary may send a well crafted malicious attachment to an individual or a small group in a spearphishing campaign. The attachment could be a document that instructs the user to take some action, such as clicking a link and/or logging in to a portal; or it could be a file crafted to exploit a vulnerability in the software used to open it, such as Adobe Acrobat or Microsoft Word.

The Corelight smtp log contains records in the fuids field if there were any files attached to a message delivered over SMTP. This field can be used to pivot to the files log which contains detailed information about the file including filename, hashes, and the source. For example:

path: smtp
from: Your Friend <[email protected]>
fuids: [ "Fh5GBc1wdVp3x9MKxc"  ]
mailfrom: [email protected]
rcptto: [ "[email protected]" ]
subject: Definitely not a spear-phish
to: [ "[email protected]" ]
uid: CzKseq1Y3zo2qsTYH5
user_agent: Apple Mail (2.3608.80.23.2.2)

path: files
conn_uids: [ "CzKseq1Y3zo2qsTYH5" ]
filename: WIRE_FRAUD.pdf
fuid: Fh5GBc1wdVp3x9MKxc
md5: e71c36cddd2aa42670d89d63e653d1da
mime_type: application/pdf
sha1: bb24829550c0ca17db73d80a1d2f969e3b06ff5f
source: SMTP

To hunt for potential spearphish attempts, you can search in the files log:

  • The value in the source field is SMTP.
  • Filter out any uninteresting mime_type and/or filename values, as previously mentioned.
  • Consider taking using hashes (MD5, SHA1, or SHA256) with a file reputation service (such as Virustotal) to look for known malicious files.

Additionally, you may start from the smtp log:

  • To reduce the data look for entries where the fuids field is non-empty.
  • Filter out known good combinations of mailfrom and from values.
  • Filter out uninteresting subject values.
  • Consider using the fuid value from the remaining records to pivot to the files log to get more information about the file.

Corelight can perform high-speed file extraction and can filter based on MIME type, so any interesting files, such as executables, Office documents, and PDFs are available for more scrutiny if desired.

Much of the mail that crosses the internet today is encrypted via STARTTLS over the SMTP protocol, and this hinders visibility. To achieve better visibility without sacrificing privacy and security for your users, it is a best practice to accept inbound SMTP at a system that supports STARTTLS, then proxy the mail to the internal mail system, so that Corelight can generate the corresponding logs.

Sigma Queries for Hunting

Name URL
Potentially Harmful Attachment https://tdm.socprime.com/tdm/info/BXbamuVTKLW8
Possible Typo Squatting or Punycode Phishing HTTP Request https://tdm.socprime.com/tdm/info/FuLp3P7q071Y
Files as SMTP Attachments (Overview Query) ./T1566.001-files-as-smtp-attachments-overview-query.yml