Office Macro File Download

calendar Nov 10, 2025 · attack.initial-access attack.t1566.001  ·
Share on: linkedin copy

Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.

Sigma rule (View on GitHub)

 1title: Office Macro File Download
 2id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
 3related:
 4    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
 5      type: similar
 6status: test
 7description: |
 8    Detects the creation of a new office macro files on the system via an application (browser, mail client).
 9    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
12    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-01-23
15modified: 2025-10-29
16tags:
17    - attack.initial-access
18    - attack.t1566.001
19logsource:
20    category: file_event
21    product: windows
22detection:
23    selection_processes:
24        Image|endswith:
25            # Email clients
26            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
27            - '\outlook.exe'
28            - '\thunderbird.exe'
29            # Browsers
30            - '\brave.exe'
31            - '\chrome.exe'
32            - '\firefox.exe'
33            - '\iexplore.exe'
34            - '\maxthon.exe'
35            - '\MicrosoftEdge.exe'
36            - '\msedge.exe'
37            - '\msedgewebview2.exe'
38            - '\opera.exe'
39            - '\safari.exe'
40            - '\seamonkey.exe'
41            - '\vivaldi.exe'
42            - '\whale.exe'
43    selection_ext:
44        - TargetFilename|endswith:
45              - '.docm'
46              - '.dotm'
47              - '.xlsm'
48              - '.xltm'
49              - '.potm'
50              - '.pptm'
51        - TargetFilename|contains:
52              - '.docm:Zone'
53              - '.dotm:Zone'
54              - '.xlsm:Zone'
55              - '.xltm:Zone'
56              - '.potm:Zone'
57              - '.pptm:Zone'
58    condition: all of selection_*
59falsepositives:
60    - Legitimate macro files downloaded from the internet
61    - Legitimate macro files sent as attachments via emails
62level: low

References

Related rules

to-top