Office Macro File Creation

 1title: Office Macro File Creation
 2id: 91174a41-dc8f-401b-be89-7bfc140612a0
 3related:
 4    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
 5      type: similar
 6status: test
 7description: Detects the creation of a new office macro files on the systems
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
10    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-01-23
13modified: 2026-01-09
14tags:
15    - attack.initial-access
16    - attack.t1566.001
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        TargetFilename|endswith:
23            - '.docm'
24            - '.dotm'
25            - '.xlsm'
26            - '.xltm'
27            - '.potm'
28            - '.pptm'
29    filter_main_office:
30        Image|startswith:
31            - 'C:\Program Files\Microsoft Office\'
32            - 'C:\Program Files (x86)\Microsoft Office\'
33        Image|endswith:
34            - '\WINWORD.EXE'
35            - '\EXCEL.EXE'
36            - '\POWERPNT.EXE'
37        TargetFilename|contains: '\~$' # Temporary files created by Office applications
38    condition: selection and not 1 of filter_main_*
39falsepositives:
40    - Very common in environments that rely heavily on macro documents
41level: low