Datatables excel export flagged as suspicious

Datatables excel export flagged as suspicious

jsuaresjsuares Posts: 8Questions: 1Answers: 0

When exporting using the HTML5 excel option the file gets flagged by SentinelOne.

Tried also by downloading the demo file on the datatables web site at https://datatables.net/extensions/buttons/examples/initialisation/export

When checking the file at https://www.virustotal.com/ it is flagged as "Matches rule Suspicious New Instance Of An Office COM Object by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)":

title: Suspicious New Instance Of An Office COM Object
id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28
status: experimental
description: |
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
references:
- https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
- https://github.com/med0x2e/vba2clr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/10/13
modified: 2023/02/04
tags:
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
condition: all of selection*
falsepositives:
- Legitimate usage of office automation via scripting
level: medium

Answers

  • allanallan Posts: 62,235Questions: 1Answers: 10,209 Site admin

    I'd suggest reporting it to SentinelOne along with a copy of the Excel file in question. There is no macro in it, so I think the rule they are running is flagging the generated file incorrectly.

    Allan

  • jsuaresjsuares Posts: 8Questions: 1Answers: 0

    The flagging is not just by SentinelOne. As I mentioned submitting the file on the VirusTotal website also brings up the same issue.

  • allanallan Posts: 62,235Questions: 1Answers: 10,209 Site admin

    I just tried an Excel file created from here. This is the result from VirusTotal:

    Looks okay to me.

    Allan

  • jsuaresjsuares Posts: 8Questions: 1Answers: 0

    You are correct.

    But if you look closer at the report under the behavior tag you will see it is flagged under the Sigma rules as

    "Matches rule Suspicious New Instance Of An Office COM Object by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)"

    and that is why SentinelOne quarantines the file upon opening.

  • allanallan Posts: 62,235Questions: 1Answers: 10,209 Site admin

    Thanks for spotting that. To be honest, I don't see how that rule can apply to the file. The rule's title is "Suspicious New Instance Of An Office COM Object" and reading the description it relates to a new svchost process. We don't use COM scripting at all to create the file.

    Furthermore, the issue says "This can be used by malicious actors to create malicious Office documents with macros on the fly". Our file doesn't contain any macros, so it doesn't apply.

    It looks to me like the rule is matching any Excel file (since it can't detect svchost processes from a file upload!).

    The rule is far too broad - it is saying any generated file might contain a macro. Sure - they might, but our generated files most certainly do not. So the rule should be checked to check if the file has a macro in it or not.

    To check that, I've just created a new Excel file (with LibreOffice) which contains four cells (1,2,3,4), and uploaded that to VirusTotal. It reports exactly the same issue.

    I've no idea where I'd report that back to, but I think that is a BS rule too be blunt.

    Allan

Sign In or Register to comment.