Execution of File Written or Modified by Microsoft Office

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/05/01"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often
 11launched via scripts inside documents or during exploitation of Microsoft Office applications.
 12"""
 13from = "now-120m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"]
 15interval = "60m"
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Execution of File Written or Modified by Microsoft Office"
 19risk_score = 73
 20rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Execution",
 27    "Resources: Investigation Guide",
 28    "Data Source: Elastic Endgame",
 29    "Data Source: Elastic Defend",
 30]
 31type = "eql"
 32
 33query = '''
 34sequence with maxspan=2h
 35  [file where host.os.type == "windows" and event.type != "deletion" and file.extension : "exe" and
 36    process.name : (
 37      "WINWORD.EXE", "EXCEL.EXE", "OUTLOOK.EXE", "POWERPNT.EXE",
 38      "eqnedt32.exe", "fltldr.exe", "MSPUB.EXE", "MSACCESS.EXE"
 39    )
 40  ] by host.id, file.path
 41  [process where host.os.type == "windows" and event.type == "start" and 
 42   not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and 
 43   not (process.name : "ShareFileForOutlook-v*.exe" and process.code_signature.subject_name : "Citrix Systems, Inc." and process.code_signature.trusted == true)
 44  ] by host.id, process.executable
 45'''
 46
 47note = """## Triage and analysis
 48
 49### Investigating Execution of File Written or Modified by Microsoft Office
 50
 51#### Possible investigation steps
 52
 53- Which source events matched the Office write-to-execute sequence?
 54  - Why: this sequence can merge fields from different file and process events, so source events are the evidence for writer and executed-process identity.
 55  - Focus: open Investigate in Timeline for the alert window on the same host; compare written `file.path` with executed `process.executable`, then record source `process.name`, `process.entity_id`, and stable `user.id`.
 56  - Implication: escalate when Office creates an executable that later starts from the same path; lower suspicion when the recovered sequence resolves to a recognized signed add-in or helper updater in a controlled product tree. Signed Microsoft NewOutlookInstaller.exe and Citrix ShareFileForOutlook helpers are excluded, so a generic updater label is not closure.
 57
 58- Is the Office writer the expected Office component and parent context?
 59  - Focus: writer `process.executable`, signer/trust, `process.parent.executable`, and `process.parent.command_line`.
 60  - Implication: escalate when WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE, eqnedt32.exe, or fltldr.exe is renamed, untrusted, user-writable, or launched by an unusual parent; lower suspicion when writer path, signer, and parent chain match the user's recognized Office integration. Writer identity never clears the executed file by itself.
 61
 62- Does the written executable look staged for payload delivery?
 63  - Focus: `file.path`, original path/extension, `file.Ext.header_bytes`, `file.Ext.windows.zone_identifier`, and same-host file activity on the written path. $investigate_1
 64  - Implication: escalate for Temp, Downloads, AppData, mail cache, startup, unrelated product paths, Internet Zone evidence, or executable content after rename; lower suspicion when the artifact stays in a recognized add-in or update tree and path history fits that workflow.
 65
 66- Does the executed file's identity and command line fit the same workflow?
 67  - Focus: executed `process.executable`, `process.hash.sha256`, signer, `process.command_line`, and `process.Ext.relative_file_creation_time`.
 68  - Hint: use prior endpoint process starts or related alerts for `process.hash.sha256` only after identity and command line fit the suspected workflow. $investigate_2
 69  - Implication: escalate when the executable is newly created, unsigned, user-writable, mismatched to signer or path, or launched with script, LOLBin, unpacking, or self-extracting arguments; lower suspicion only when signer, hash history, path, age, and arguments all fit the same recognized helper workflow.
 70
 71- What document, email, archive, or integration source caused Office to write the executable?
 72  - Focus: file events from writer `process.entity_id`; review `file.path`, `file.origin_url`, `file.origin_referrer_url`, and `file.Ext.windows.zone_identifier`.
 73  - Hint: if records are incomplete or the entity pivot returns none, use the same host, writer `process.pid`, and tight write-time window.
 74  - Implication: escalate when the write follows a downloaded document, email attachment, archive extraction, or web referrer outside the same recognized workflow; lower suspicion when provenance points to a recognized deployment package or Office integration source. Missing provenance is inconclusive, not benign.
 75
 76- Did the executed file produce malicious follow-on process or file activity?
 77  - Focus: process and file events scoped to executed `process.entity_id`: child `process.parent.entity_id`, child `process.command_line`, and new `file.path` values.
 78  - Hint: if records are incomplete or the entity pivot returns none, use the same host, executed `process.pid`, and post-start window.
 79  - Implication: escalate when the payload launches script interpreters, LOLBins, unpackers, or additional binaries, or stages files outside the recognized product tree; lower urgency when follow-on activity stays limited to expected local install or update actions. Preserve Office-written DLLs, scripts, or shortcut launchers in the same scope as adjacent payload variants.
 80
 81- If local findings remain suspicious or unresolved, do related alerts show the same delivery chain or spread?
 82  - Focus: related alerts for `host.id`, then pivot on recovered stable `user.id`; prioritize document delivery, script execution, persistence, and outbound connection alerts. $investigate_0
 83  - Implication: broaden scope when related alerts connect the same host or user to delivery, scripting, persistence, or beaconing; keep scope local when the sequence is isolated and local evidence supports one recognized workflow.
 84
 85- Escalate when sequence, artifact, identity, delivery, behavior, or related-alert evidence supports suspicious Office write-to-execute activity; close only when all categories align with one recognized add-in, updater, or integration workflow and no contradictory artifacts remain; if evidence is mixed or incomplete, preserve artifacts and escalate.
 86
 87### False positive analysis
 88
 89- Office add-in, repair, updater, document-management, e-signature, DLP, or collaboration integrations can write and launch helper executables. Confirm that writer identity, written path, executed hash or signer, parent context, provenance, command line, and follow-on activity all point to the same product or integration workflow. If records are unavailable, require telemetry-only recurrence of the same writer, path tree, signer/hash pattern, and `host.id` or `user.id` cohort across prior alerts.
 90- Before creating an exception, validate that the same Office writer, path tree, executed signer or `process.hash.sha256`, provenance pattern, and `host.id`/`user.id` cohort recur across prior alerts from this rule. Build the exception from that minimum workflow pattern; avoid exceptions on Office process names, `process.name`, or `file.extension` alone.
 91
 92### Response and remediation
 93
 94- If confirmed benign, reverse temporary containment and document the writer identity, written path tree, executed hash and signer, parent/delivery context, and recurrence evidence. Create an exception only for the same stable workflow pattern.
 95- If suspicious but unconfirmed, preserve Timeline source events, copies of the written executable and source document/archive, process tree details, recovered entity IDs, command line, hash, path, and provenance URLs before containment. Apply reversible containment first: quarantine the lure or executable, block the confirmed hash/path temporarily where controls support it, or increase monitoring on the affected `host.id` and `user.id`. Isolate the host only if follow-on process/file evidence shows malicious staging or execution and the host can tolerate interruption.
 96- If confirmed malicious, isolate the host and terminate the executed payload after preserving the source events, process tree, written executable, lure document or archive, hash, signer, and provenance evidence. Block the confirmed hash or path where controls support it, then remove the malicious executable, lure, archive, and staged files identified during the investigation.
 97- Review related hosts and users for the same written path pattern, executed hash, signer, and provenance evidence before deleting artifacts. Then remediate the delivery path, such as the phishing message, archive, or malicious Office document, that led to the write-execute sequence.
 98- Post-incident hardening: restrict Office-driven writes and launches of executable content in user-writable paths, retain endpoint file-provenance and process-start telemetry, and record confirmed adjacent variants, such as Office-written DLLs, scripts, or shortcut launchers, in the case history for future triage.
 99"""
100
101setup = """## Setup
102
103This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
104
105Setup instructions: https://ela.st/install-elastic-defend
106"""
107
108[rule.investigation_fields]
109field_names = [
110    "@timestamp",
111    "host.id",
112    "user.id",
113    "kibana.alert.reason",
114]
115
116[transform]
117
118[[transform.investigate]]
119label = "Alerts associated with the host"
120description = ""
121providers = [
122  [
123    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
124    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
125  ]
126]
127relativeFrom = "now-48h/h"
128relativeTo = "now"
129
130[[transform.investigate]]
131label = "File events for the written executable path"
132description = ""
133providers = [
134  [
135    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
136    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
137    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" }
138  ]
139]
140relativeFrom = "now-2h"
141relativeTo = "now"
142
143[[transform.investigate]]
144label = "Alerts associated with the executed file hash"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
149    { excluded = false, field = "process.hash.sha256", queryType = "phrase", value = "{{process.hash.sha256}}", valueType = "string" }
150  ]
151]
152relativeFrom = "now-48h/h"
153relativeTo = "now"
154
155[[rule.threat]]
156framework = "MITRE ATT&CK"
157
158[[rule.threat.technique]]
159id = "T1203"
160name = "Exploitation for Client Execution"
161reference = "https://attack.mitre.org/techniques/T1203/"
162
163[[rule.threat.technique]]
164id = "T1204"
165name = "User Execution"
166reference = "https://attack.mitre.org/techniques/T1204/"
167
168[[rule.threat.technique.subtechnique]]
169id = "T1204.002"
170name = "Malicious File"
171reference = "https://attack.mitre.org/techniques/T1204/002/"
172
173[rule.threat.tactic]
174id = "TA0002"
175name = "Execution"
176reference = "https://attack.mitre.org/tactics/TA0002/"
177
178[[rule.threat]]
179framework = "MITRE ATT&CK"
180
181[[rule.threat.technique]]
182id = "T1566"
183name = "Phishing"
184reference = "https://attack.mitre.org/techniques/T1566/"
185
186[[rule.threat.technique.subtechnique]]
187id = "T1566.001"
188name = "Spearphishing Attachment"
189reference = "https://attack.mitre.org/techniques/T1566/001/"
190
191[[rule.threat.technique.subtechnique]]
192id = "T1566.002"
193name = "Spearphishing Link"
194reference = "https://attack.mitre.org/techniques/T1566/002/"
195
196[rule.threat.tactic]
197id = "TA0001"
198name = "Initial Access"
199reference = "https://attack.mitre.org/tactics/TA0001/"