Winword Drops Script In Startup

calendar May 3, 2021  ยท
Share on: linkedin copy

Winword.exe drops script file in startup location

Sigma rule (View on GitHub)

 1title: Winword Drops Script In Startup
 2status: experimental
 3description: Winword.exe drops script file in startup location
 4author: Joe Security
 5id: 200017
 6threatname:
 7behaviorgroup: 1
 8classification: 7
 9logsource:
10    service: sysmon
11    product: windows
12detection:
13    selection:
14        EventID: 11
15        Image: '*\Microsoft Office\Office*\WINWORD.EXE*'
16        TargetFilename:
17            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.vbs*'
18            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.js*'
19            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.bat*'
20            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.url*'
21            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.cmd*'
22            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.hta*'
23            - '*\AppData\Roaming\Microsoft\\*\STARTUP\\*.ps1*'
24    condition: selection
25level: critical
to-top