This post is going to cover how the Sophos Central Adaptive Cybersecurity Ecosystem (ACE) empowers an analyst to maximize time spent hunting across their environment. We will focus our attention to a trend in attacks -- using Microsoft OneNote files.
Why? Simple--Microsoft put restrictions on the use of macros in Word and Excel documents. This has made it challenging for adversaries to follow their traditional playbooks. Their solution? Quite simple too -- send the target a OneNote file with embedded files.
This post is the Query Corner's version of "March Madness"
You must have XDR enabled in your environment. Sophos Email Security or XG/XGS Firewall Series will be required for some of the queries.
DISCLAIMER: Query #1 and #2 rely upon Microsoft 365 Administrative Templates to be successful. These links are provided "as-is" and Sophos does not support them in any capacity.
NOTE: Please verify you have met the prerequisites.
SELECT name, datetime(mtime,'unixepoch','localtime') as modifiedTime, CASE WHEN DATA = '1' THEN 'Enabled' WHEN DATA = '0' THEN 'Disabled' ELSE 'key not found' END AS Status FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\office\%\onenote\options\%%' AND name = 'disableembeddedfiles'
If your agent reports enabled, then OneNote will be restricted from loading ANY embedded file type. If this returns nothing, the Admin Templates are not enabled to the device(s) or this is not configured.
NOTE: Please verify you have met the prerequisite.
/* -- author: jkopacko += version 1.0 - 03/06/2023 */ SELECT name, REPLACE(data, ';', ' ') AS fileTypes, datetime(mtime,'unixepoch','localtime') as modifiedTime FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\office\%\onenote\options\embeddedfileopenoptions\%%' AND name = 'blockedextensions'
If this returns nothing, the Admin Templates are not enabled to the device(s) or the mitigation is not configured.
The fileTypes column has removed the proper formatting to make it easier for the analyst to read. The Group Policy formatting will look like ".ext1;.ext2;.ext3;.etc" naturally.
NOTE: This can be resource intensive
/* -- author: jkopacko += Descriptive names: startTime += Variable type: Date += Value: wildcards work but discouraged due to resource demand += version 1.0 - 03/06/2023 */ SELECT sfp.sha256, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f.mtime,'unixepoch','localtime') AS Last_Modified, datetime(f.ctime,'unixepoch','localtime') AS Creation_Time FROM file f LEFT JOIN sophos_file_properties sfp ON f.path = sfp.path WHERE f.filename LIKE '%.one' AND (f.path LIKE 'C:\Users\Public\%%' OR f.path LIKE 'C:\Users\%\Downloads\%' OR f.path LIKE 'C:\Users\%\Documents\%' OR f.path LIKE 'C:\Users\%\Desktop\%' OR f.path LIKE 'C:\Users\%\Music\%%' OR f.path LIKE 'C:\Users\%\Pictures\%%' OR f.path LIKE 'C:\Users\%\AppData\Local\Temp\%' OR f.path LIKE 'C:\Users\%\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\%') --Can add more search locations but will task the service further /* OR f.path LIKE 'C:\ProgramData\%' OR f.path LIKE 'C:\Perflogs\%' OR f.path LIKE 'C:\Intel\%' OR f.path LIKE 'C:\Temp\%' OR f.path LIKE 'C:\Windows\%' OR f.path LIKE 'C:\Windows\Temp\%' OR f.path LIKE 'C:\Windows\System32\%' OR f.path LIKE 'C:\Windows\SysWOW64\%') */ AND datetime(f.ctime,'unixepoch','localtime') > $$startTime$$
NOTE: Later versions of this query will be modified for gathering data sets in intervals of 6-8 hours to allow for longer hunting times
NOTE: We could use this query to hunt for a specific SHA256 discovery if we received Threat Intel on an IoC/IoA.
Good news! This is already available in your Dashboard Today.
Navigate to Live Discover > Data Lake > Email > Find Emails with Attachments
Enter the query as shown below:
You can use wildcards within the values of the variables. Here I am expanding this to search of ANY (%) attachment name with the OneNote file extension (.one).
NOTE: I am using TLS decryption in my Lab environment
SELECT timestamp, log_type, log_component, log_subtype, severity, user_name, src_ip, dst_ip, dst_port, app_name, app_category, app_risk, url, download_file_name, download_file_type FROM xgfw_data WHERE download_file_name LIKE '%.one'
NOTE: this screenshot is missing several categories, but the destination info is what we really care about, right? ;)
Happy querying!
-jk
Interesting article. #4 doesn't work for me. "I get access not allowed for:xdr_xge_att_data" when I press the run query button.
Can Sophos fix this?
Are you using the Sophos Email Security product? Without, the database will not be present.
jk