Query Details

CVE 2024 38112 ZERO DAY TRICKS IN Dot URL TO LURE VICTIMS

Query

// CVE-2024-38112 ZERO-DAY TRICKS IN dot URL TO LURE VICTIMS
// https://www.linkedin.com/posts/activity-7217706847808499713-AGPd/

Defenders using Sentinel or DefenderXDR can create the below MDE KQL detection to monitor such attack from Outlook and Teams:

DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".url" or FileName endswith ".URL"
| where InitiatingProcessFileName contains "outlook.exe" or 
InitiatingProcessFileName contains "teams.exe"

// MITRE ATT&CK Mapping

// Based on the analysis, the KQL query is likely detecting suspicious file creation activities that could be associated with phishing or malicious link delivery via email or collaboration tools. Here are the relevant MITRE ATT&CK techniques:

// T1566.001 - Phishing: Spearphishing Attachment:
// Description: This technique involves sending emails with malicious attachments to gain access to a victim’s system.
// Relevance: The query looks for .url files created by outlook.exe, which could indicate a phishing attempt via email.

// T1071.001 - Application Layer Protocol: Web Protocols:
// Description: This technique involves using web protocols for command and control.
// Relevance: .url files can be used to direct victims to malicious websites, potentially for command and control purposes.

// T1204.002 - User Execution: Malicious File:
// Description: This technique involves tricking users into executing malicious files.
// Relevance: .url files created by teams.exe could be used to deliver malicious links through collaboration tools.

// T1105 - Ingress Tool Transfer:
// Description: This technique involves transferring tools or files from an external system into a compromised environment.
// Relevance: .url files could be used to download additional malicious payloads.

// The KQL query is designed to detect potential phishing or malicious link delivery activities by monitoring the creation of .url files initiated by email and collaboration applications. This detection aligns with several MITRE ATT&CK techniques related to phishing, user execution, and command and control.

Explanation

The query is designed to help security teams using Microsoft Sentinel or DefenderXDR detect potential phishing or malicious activities. It specifically looks for the creation of files with a ".url" extension, which are often used to link to websites. The query focuses on files created by two applications: Outlook and Teams, which are commonly used for communication and collaboration.

Here's a simple breakdown of what the query does:

  1. Monitors File Creation: It checks for any new files created on a device.
  2. Targets Specific File Types: It specifically looks for files ending in ".url" or ".URL".
  3. Focuses on Certain Applications: It filters these file creation events to those initiated by "outlook.exe" or "teams.exe".

The purpose of this query is to identify potentially suspicious activities that could be part of a phishing attack or other malicious activities. For example, a ".url" file created by Outlook might be a phishing attempt via email, while one created by Teams could be a malicious link shared through a collaboration tool.

The query aligns with several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These techniques include phishing, using web protocols for command and control, tricking users into executing malicious files, and transferring malicious tools or files into a system.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsNameInitiatingProcess

Operators

DeviceFileEventswhereActionTypeFileNameendswithorInitiatingProcessFileNamecontains

Actions

GitHub