Office product drops script at suspicious location
Office product drops script at suspicious location
Sigma rule (View on GitHub)
1title: Office product drops script at suspicious location
2status: experimental
3description: Office product drops script at suspicious location
4author: Joe Security
5date: 2020-01-30
6id: 200047
7threatname:
8behaviorgroup: 1
9classification: 7
10logsource:
11 service: sysmon
12 product: windows
13detection:
14 selection:
15 EventID: 11
16 Image:
17 - '*\Microsoft Office*\Office*\WINWORD.EXE*'
18 - '*\Microsoft Office*\Office*\EXCEL.EXE*'
19 TargetFilename:
20 - '*\AppData\Roaming\\*.vbs*'
21 - '*\AppData\Roaming\\*.js*'
22 - '*\AppData\Roaming\\*.jse*'
23 - '*\AppData\Roaming\\*.bat*'
24 - '*\AppData\Roaming\\*.url*'
25 - '*\AppData\Roaming\\*.cmd*'
26 - '*\AppData\Roaming\\*.hta*'
27 - '*\AppData\Roaming\\*.ps1*'
28 - '*\AppData\Local\Temp\\*.vbs*'
29 - '*\AppData\Local\Temp\\*.js*'
30 - '*\AppData\Local\Temp\\*.jse*'
31 - '*\AppData\Local\Temp\\*.bat*'
32 - '*\AppData\Local\Temp\\*.url*'
33 - '*\AppData\Local\Temp\\*.cmd*'
34 - '*\AppData\Local\Temp\\*.hta*'
35 - '*\AppData\Local\Temp\\*.ps1*'
36 selection1:
37 EventID: 11
38 Image:
39 - '*\Microsoft Office*\Office*\WINWORD.EXE*'
40 - '*\Microsoft Office*\Office*\EXCEL.EXE*'
41 TargetFilename:
42 - '*\AppData\Roaming\Microsoft\Office\Recent\\*.url*'
43
44 condition: selection and not selection1
45level: critical