Query Details
XLL Dropper
Query
// XLL file event followed by Excel.Application COM object making network connections
// Could indicate the presense of XLL dropper malware
// read more at https://github.com/optiv/Dent#remote-xll-payload-mode
let timeframe = 2h;
let lookupWindow = 1min;
let lookupBin = lookupWindow / 2.0;
DeviceFileEvents
| where Timestamp > ago(timeframe)
| where FileName endswith ".xll"
| where FolderPath !endswith "\\Library\\Analysis\\ANALYS32.XLL"
| project DeviceId, DeviceName, FileName, FolderPath, Start=Timestamp, ReportId, TimeKey=bin(Timestamp, lookupBin)
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where InitiatingProcessFileName =~ "excel.exe"
| where InitiatingProcessParentFileName =~ "svchost.exe"
| project DeviceName, RemoteUrl, RemotePort, ActionType,
Username = InitiatingProcessAccountName,
Email = InitiatingProcessAccountUpn,
End = Timestamp,
TimeKey = range(bin(Timestamp-lookupWindow, lookupBin),
bin(Timestamp, lookupBin),
lookupBin)
| mv-expand TimeKey to typeof(datetime)
) on DeviceName, TimeKey
| where (End - Start) between (0min .. lookupWindow)
| extend Timestamp=Start
Explanation
This query is looking for XLL file events followed by the Excel.Application COM object making network connections. This could indicate the presence of XLL dropper malware. It retrieves device file events where the file name ends with ".xll" and the folder path does not end with "\Library\Analysis\ANALYS32.XLL". It then joins these events with device network events where the initiating process file name matches "excel.exe" and the initiating process parent file name matches "svchost.exe". The query projects specific fields from both event types and joins them based on the device name and a time window. It filters the joined events based on the time difference between the start and end timestamps being within a specified lookup window. Finally, it extends the timestamp field to be the start timestamp.
Details
C.J. May
Released: January 17, 2023
Tables
Keywords
Operators