Email ASR Executable Content Triggered

# ASR Executable Content triggered ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1566.001 | Phishing: Spearphishing Attachment | https://attack.mitre.org/techniques/T1566/001/ | #### Description The ASR rule in this query has the following description: This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps1, Visual Basic .vbs, or JavaScript .js file) This query uses the ASR trigger as input and joins that with the available email information. This can then be used the find the source of the mail, which can then be blocked. Adverseries may use this technique to trick users into opening executable files that give the attacker initial access. #### Risk If this rule is on block mode the action is blocked, if the rul is on audit mode then the user was tricked into running executable content. This can result in an actor gaining initial access. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide - https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/ ## Defender For Endpoint ``` DeviceEvents | where ActionType in ("AsrExecutableEmailContentBlocked", "AsrExecutableEmailContentAudited") // join the information from the email attachment | join kind=inner (EmailAttachmentInfo | project NetworkMessageId, FileName, SHA256, FileSize) on $left.FileName == $right.FileName // join the email information | join kind=inner (EmailEvents | project SenderFromAddress, Subject, NetworkMessageId) on $left.NetworkMessageId == $right.NetworkMessageId | project-reorder SenderFromAddress, Subject, FileName, FileSize, SHA256 ``` ## Sentinel ``` DeviceEvents | where ActionType in ("AsrExecutableEmailContentBlocked", "AsrExecutableEmailContentAudited") // join the information from the email attachment | join kind=inner (EmailAttachmentInfo | project NetworkMessageId, FileName, SHA256, FileSize) on $left.FileName == $right.FileName // join the email information | join kind=inner (EmailEvents | project SenderFromAddress, Subject, NetworkMessageId) on $left.NetworkMessageId == $right.NetworkMessageId | project-reorder SenderFromAddress, Subject, FileName, FileSize, SHA256 ```

Explanation

This query is used to identify and block or audit executable content that is triggered by ASR (Attack Surface Reduction) rules. It looks for specific file types, such as .exe, .dll, or .scr, and script files like PowerShell .ps1, Visual Basic .vbs, or JavaScript .js files, that are launched from emails opened in Microsoft Outlook or webmail providers. The query joins email attachment information with email information to find the source of the email and can be used to block it. The risk is that if the rule is on block mode, the action is blocked, but if it's on audit mode, the user was tricked into running executable content, which can result in an attacker gaining initial access.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceEventsEmailAttachmentInfoEmailEvents

Keywords

DeviceEvents,ActionType,AsrExecutableEmailContentBlocked,AsrExecutableEmailContentAudited,EmailAttachmentInfo,NetworkMessageId,FileName,SHA256,FileSize,EmailEvents,SenderFromAddress,Subject

Operators

whereinjoinprojecton$left.$right.project-reorder

KQL Search