topic Re: Stealing Tokens from Office products in Cortex XDR Discussions

Stealing Tokens from Office products

RFeyertag — Sun, 18 Sep 2022 19:17:27 GMT

Hello dear community,

is there a capability in cortex xdr pro, which can detect or stop the dumping and stealing from tokens?

https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1

How would you go on this? XQL BIOC query with detection on dump creation? Or BIOC XQL for strings64.exe call?

Rob

Re: Stealing Tokens from Office products

KanwarSingh01 — Mon, 19 Sep 2022 02:10:37 GMT

Hi @RFeyertag I would probably create BIOC rules with multiple logic:

Low Severity: Create a BIOC rule for srtings64.exe containing *.dmp in its command line. (Even though the article mentions that you could do an offline strings dump etc, Why? Obviously if done on the box it will create more telemetry and more telemetry creates more detection opportunities)
Informational Severity: Create a BIOC rule where I would monitor for a process command line containing a *.dmp in its CLI. (Produces quite a bit noise)
Medium Severity: Create a BIOC rule where an unsigned image created a *.dmp file (Please consider the noise in the environment before creation.)
Medium Severity: Create a BIOC rule where tool name such as procdump*.exe or dumpit.exe i.e. common process dump utilities are used.
Medium Severity: Create a BIOC rule where an image signer includes Microsoft* as a key word but the image name is not a known Microsoft Utility.
Medium Severity: rundll32.exe executing comsvc.dll

Before doing above baseline first:

config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW,ENUM.FILE_WRITE) | filter actor_process_image_name != null | filter actor_process_image_name not in ("werfault.exe","System") and action_file_name = "*.dmp" | fields _time as Time_Stamp, agent_hostname as Host, agent_ip_addresses as IP_Addr, action_file_name as Dump_Filename, actor_process_image_name as Process

Thanks

Kanwar

Re: Stealing Tokens from Office products

bbarmanroy — Thu, 22 Sep 2022 02:02:43 GMT

Hi @RFeyertag there's a BIOC available in github that you can take a look at to see if it meets your needs.

Re: Stealing Tokens from Office products

RFeyertag — Sat, 24 Sep 2022 20:59:39 GMT

Hey @bbarmanroy,

thank you very much! It worked like very good! Here is my final query:

dataset = xdr_data |
filter event_type = FILE and (
actor_process_image_name not contains "Teams" and
actor_process_image_name not contains "teams" and actor_process_image_path not contains "C:\Windows\System32\svchost.exe"
)
and (
action_file_path contains "\Microsoft\Teams\Cookies" or
action_file_path contains "Microsoft\Teams\Local Storage\leveldb" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Cookies" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Local Storage/leveldb" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Cookies" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Local Storage/leveldb"
)

Do you think excluding svchost.exe is a good idea?

Rob

Re: Stealing Tokens from Office products

bbarmanroy — Mon, 26 Sep 2022 03:00:16 GMT

Hi @RFeyertag the query looks good.

I'd probably want to clean up a bit if that makes for a quicker read as BIOC rules are case-insensitive by default (takes care of the process name) as well as put the paths in an array:

dataset = xdr_data | filter event_type = ENUM.FILE | filter action_file_path in ("%AppData%\Microsoft\Teams\Cookies", "%AppData%\Microsoft\Teams\Local Storage\leveldb", "~/Library/Application Support/Microsoft/Teams/Cookies", "~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb","~/.config/Microsoft/Microsoft Teams/Cookies", "~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb") and action_process_image_name !~= "teams"

I am not full up-to-date with the threat, but I understand that this requires local privileges on the endpoint (so an attacker would already have access to Teams at that point post-authentication?). As such, putting in svchost in the query is probably not necessary. Do discuss this with your wider information security teams (including threat intel) to discover variants and use that to modify the BIOC as needed.