Network Connection Initiated By Eqnedt32.EXE

About the rule

Rule Type

Standard

Rule Description

Eqnedt32.exe is a Microsoft Equation Editor process used to embed and edit equations within MS Office documents. In certain scenarios, this process may initiate a network connection, which can be exploited by attackers using known vulnerabilities such as CVE-2017-11882. This executable is often leveraged to establish command-and-control (C2) communication with malicious servers.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (spear phishing) → Execution (through MS Office document) → Command and control → Impact

Impact

• Attackers execute code by leveraging the privileges of the victim by exploiting Equation Editor.
• The infected or compromised system tries to establish connection with the attacker's C2 server for further instructions
• Data exfiltration is achieved through the same network connection

Rule Requirement

Prerequisites

• Download and install Sysmon from Microsoft Sysinternals. Then, open a Command prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -

sysmon.exe -i [configfile.xml].

• Add network connection events to monitor in your configuration file using -

<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>

• Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
• Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Exploitation for Client Execution (T1203)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected.

This security framework ensures the organization to secure the data against unauthorized access, alteration, or transmission. Encryption techniques (SSL or TLS), using data integrity measures, documenting network traffic are a few preventive measures for data leak.

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the connection initiated to LocalToNet tunneling services. Enforce the policies on the web traffic to ensure the network security.

Author

Max Altgelt (Nextron Systems)

Future actions

Known False Positives

Network initiated by Eqnedt32.EXE can be a legitimate process when it connects to external sources for updates, validation and file retrieval activities.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or the existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation