The hypothesis is that the detection identifies a malicious Word document associated with the Poseidon Group, which is likely used to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threat (APT) activity early in the attack lifecycle.
YARA Rule
rule PoseidonGroup_MalDoc_2
{
meta:
description = "Detects Poseidon Group - Malicious Word Document"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
date = "2016-02-09"
score = 70
hash1 = "3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c"
hash2 = "1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af"
hash3 = "f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a"
hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed"
hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778"
hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216"
strings:
$s0 = "{\\*\\generator Msftedit 5.41." ascii
$s1 = "Attachment 1: Complete Professional Background" ascii
$s2 = "E-mail: \\cf1\\ul\\f1"
$s3 = "Education:\\par" ascii
$s5 = "@gmail.com" ascii
condition:
uint32(0) == 0x74725c7b and filesize < 500KB and 3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Report Generation
Description: A scheduled job runs a script to generate a system maintenance report in Word format, which includes macro-enabled content for automation.
Filter/Exclusion: Exclude files generated by the System Maintenance Scheduler task or files created by the report_generator.py script located in C:\scripts\maintenance.
Scenario: Admin Task - Document Template Update
Description: An administrator updates a Word document template used across the organization, which contains embedded macros for formatting and automation.
Filter/Exclusion: Exclude files with the .dotm extension or files modified by the template_updater.exe tool in the C:\admin_tools\doc_utils directory.
Scenario: User-Driven Document Automation with VBA
Description: A user uses a legitimate VBA macro to automate repetitive document formatting tasks, such as generating monthly summaries.
Filter/Exclusion: Exclude files edited using the Word Automation Tool or files with the UserMacroEnabled flag set in the registry under HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Options.
Scenario: IT Support Tool for Document Conversion
Description: An IT support tool converts PDF files to Word format, and the conversion process embeds macros for content extraction.
Filter/Exclusion: Exclude files processed by the PDFtoWordConverter.exe tool located in C:\ITTools\pdf2docx, or files with the ConvertedFromPDF metadata tag.
Scenario: Internal Training Material with Embedded Macros
Description: Internal training materials are created with macros to include interactive content and quizzes for employee onboarding.
Filter/Exclusion: Exclude files in the C:\Training\Materials directory or files with the TrainingMaterial tag in the file metadata.