Office Macro File Creation

Detects the creation of a new office macro files on the systems

Sigma rule (View on GitHub)

 1title: Office Macro File Creation
 2id: 91174a41-dc8f-401b-be89-7bfc140612a0
 3related:
 4    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
 5      type: similar
 6status: test
 7description: Detects the creation of a new office macro files on the systems
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
10    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-01-23
13tags:
14    - attack.initial-access
15    - attack.t1566.001
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection:
21        TargetFilename|endswith:
22            - '.docm'
23            - '.dotm'
24            - '.xlsm'
25            - '.xltm'
26            - '.potm'
27            - '.pptm'
28    condition: selection
29falsepositives:
30    - Very common in environments that rely heavily on macro documents
31level: low

References

Related rules

to-top