File Creation by Office Applications

calendar Apr 21, 2023 · attack.t1204.002 attack.t1047 attack.t1218.010 attack.execution attack.defense_evasion  ·
Share on: linkedin copy

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Sigma rule (View on GitHub)

 1title: File Creation by Office Applications
 2id: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d
 3description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
 4references:
 5    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 6    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
 7author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)"
 8tags:
 9    - attack.t1204.002
10    - attack.t1047
11    - attack.t1218.010
12    - attack.execution
13    - attack.defense_evasion
14status: experimental
15date: 2021/08/23
16modified: 2022/06/02
17logsource:
18    product: windows
19    category: file_event
20detection:
21    #useful_information: Please add more file extensions and magic bytes to the logic of your choice.
22    selection1:
23        Image|endswith:
24            - '\winword.exe'
25            - '\excel.exe'
26            - '\powerpnt.exe'
27            - '\outlook.exe'
28    selection2:
29        FileName|endswith:
30            - ".exe"
31            - ".dll"
32            - ".ocx"
33            - ".com"
34            - ".ps1"
35            - ".vbs"
36            - ".sys"
37            - ".bat"
38            - ".scr"
39            - ".proj"
40    selection3:
41        FileMagicBytes|startswith:
42            - "4D5A"
43    condition: selection1 and (selection2 or selection3)
44falsepositives:
45    - Unknown
46level: high

References

Related rules

to-top