Outlook writing zip #3877
Open
Outlook writing zip #3877
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
patel-bhavin
commented
Jan 23, 2026
patel-bhavin
commented
- updated to production
- updates to the query to join on guid
- added new dataset
nasbench
reviewed
Jan 23, 2026
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/outlook_writing_zip/outlook_writing_zip.log |
Contributor
There was a problem hiding this comment.
The dataset is missing EventID 11 for the file creation. You grabbed EID 15 instead.
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/outlook_writing_zip/outlook_writing_zip.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
Contributor
There was a problem hiding this comment.
Suggested change
| sourcetype: XmlWinEventLog | |
| sourcetype: XmlWinEventLog | |
Comment on lines
+87
to
+88
| - field: file_name | ||
| type: file_name |
Contributor
There was a problem hiding this comment.
File path is as important if not more than file_name
Suggested change
| - field: file_name | |
| type: file_name | |
| - field: file_name | |
| type: file_name | |
| - field: file_path | |
| type: file_path |
| malicious_id outlook_id dest file_path file_name file_hash count file_id] | table | ||
| firstTime lastTime user malicious_id outlook_id process_name parent_process_name | ||
| file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' | ||
| - Sysmon EventID 1 AND Sysmon EventID 15 |
Contributor
There was a problem hiding this comment.
It should EID 11 for file creation
Suggested change
| - Sysmon EventID 1 AND Sysmon EventID 15 | |
| - Sysmon EventID 1 AND Sysmon EventID 11 |
nasbench
reviewed
Jan 23, 2026
| | join malicious_id | ||
| type=inner | ||
| [| tstats `security_content_summariesonly` count values(Filesystem.file_path) | ||
| as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem |
Contributor
There was a problem hiding this comment.
As discussed its also best to have action=created for better perf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.