Office Macro File Creation

 1title: Office Macro File Creation
 2id: 91174a41-dc8f-401b-be89-7bfc140612a0
 3related:
 4    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
 5      type: similar
 6status: test
 7description: Detects the creation of a new office macro files on the systems
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
10    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/01/23
13tags:
14    - attack.initial_access
15    - attack.t1566.001
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection:
21        TargetFilename|endswith:
22            - '.docm'
23            - '.dotm'
24            - '.xlsm'
25            - '.xltm'
26            - '.potm'
27            - '.pptm'
28    condition: selection
29falsepositives:
30    - Very common in environments that rely heavily on macro documents
31level: low

References

• atomic-red-team/atomics/T1566.001/T1566.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• File format reference for Word, Excel, and PowerPoint - Deploy Office

  

  Learn about the formats and their extensions used by Word, Excel, and PowerPoint.

  
  Read More

Related rules

• Arbitrary Shell Command Execution Via Settingcontent-Ms
• ISO File Created Within Temp Folders
• Password Protected ZIP File Opened (Email Attachment)
• ISO or Image Mount Indicator in Recent Files
• Windows Registry Trust Record Modification