08-29-2017 10:26 AM - edited 08-30-2017 03:09 PM
I am trying to create a custom signature to block macro-enabled word documents. I can't use the "39154" signature for blocking, because it also blocks other office documents, such as .xlsx. I am in the testing phase, and I have created a custom signature to detect and alert on just word documents with macros enabled, but so far I have been unable to get the alert to actually trigger. I'm using the "file-office-content" context to find the below pattern matches. I found the strings in various macro-enabled word documents using a hex viewing tool.
One of these four patterns must match:
word/_rels/document.xml.rels
Microsoft.Office.Word
\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x
\x4D6963726F736F6674204F666669636520576F7264\x
AND
One of these patterns must match:
vba.*versioncompatible32
vba.*VersionCompatible32
VBA.*versioncompatible32
VBA.*VersionCompatible32
x\-vba\-macros
VbaProject\.bin
vbaproject\.bin
vbaProject\.bin
08-30-2017 09:59 AM - edited 08-30-2017 10:00 AM
I have an update to this custom signature issue. According to the PA custom signature documentation you can look at the document binaries and use regex or hex search strings to match traffic against strings in the binaries, but it looks like that won't work. I was able to get this alert to work by looking in packet captures and using the following pattern matches within the file-office-content context:
Match one of the following:
\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x
\x4D6963726F736F6674204F666669636520576F7264\x
\x540068006900730044006f00630075006d0065006e0074\x
AND
One of the following:
\x417474726962757400652056425f4e616d0065\x
\x5f005600420041005f00500052004f004a00450043005400\x
08-30-2017 09:59 AM - edited 08-30-2017 10:00 AM
I have an update to this custom signature issue. According to the PA custom signature documentation you can look at the document binaries and use regex or hex search strings to match traffic against strings in the binaries, but it looks like that won't work. I was able to get this alert to work by looking in packet captures and using the following pattern matches within the file-office-content context:
Match one of the following:
\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x
\x4D6963726F736F6674204F666669636520576F7264\x
\x540068006900730044006f00630075006d0065006e0074\x
AND
One of the following:
\x417474726962757400652056425f4e616d0065\x
\x5f005600420041005f00500052004f004a00450043005400\x
08-31-2017 05:23 AM
Hi,
do you have pcap of such document? It is the easiest way to see / collect strings you need.
At first, I'd go with only "one and one" string, without trying to match "OR" in the beginning. Once I have confirmed it works for one type of files, I'd expand it.
If it doesn't work for you like this (step-by-step approach), can you maybe upload one file here and I will try to see if I can help?
Best regards,
Luciano
08-31-2017 06:53 AM
I've got the alert working now, but I appreciate the feedback. I was looking in the binary of the document, rather than the pcap originally. I can't speak for other contexts, but it appears that pcap is the only reliable way to gather search stings for the "file-office-content" context. Palo Alto should consider rewriting their documentation to reflect that.
08-31-2017 07:29 AM
Thanks for the feedback on the need to do some documentation enhancement.
Sometimes we assume that everyone thinks the way we do and it's good to get a reminder that we all come at these problems with different assumptions and perspectives baked into our viewfinder.
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
