Office Macro File Download

calendar Mar 1, 2024 · attack.initial_access attack.t1566.001  ·
Share on: linkedin copy

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Sigma rule (View on GitHub)

 1title: Office Macro File Download
 2id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
 3related:
 4    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
 5      type: similar
 6status: test
 7description: Detects the creation of a new office macro files on the systems via an application (browser, mail client).
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
10    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/01/23
13modified: 2023/04/18
14tags:
15    - attack.initial_access
16    - attack.t1566.001
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection_processes:
22        Image|endswith:
23            # Email clients
24            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
25            - '\outlook.exe'
26            - '\thunderbird.exe'
27            # Browsers
28            - '\brave.exe'
29            - '\chrome.exe'
30            - '\firefox.exe'
31            - '\iexplore.exe'
32            - '\maxthon.exe'
33            - '\MicrosoftEdge.exe'
34            - '\msedge.exe'
35            - '\msedgewebview2.exe'
36            - '\opera.exe'
37            - '\safari.exe'
38            - '\seamonkey.exe'
39            - '\vivaldi.exe'
40            - '\whale.exe'
41    selection_ext:
42        - TargetFilename|endswith:
43              - '.docm'
44              - '.dotm'
45              - '.xlsm'
46              - '.xltm'
47              - '.potm'
48              - '.pptm'
49        - TargetFilename|contains:
50              - '.docm:Zone'
51              - '.dotm:Zone'
52              - '.xlsm:Zone'
53              - '.xltm:Zone'
54              - '.potm:Zone'
55              - '.pptm:Zone'
56    condition: all of selection_*
57falsepositives:
58    - Legitimate macro files downloaded from the internet
59    - Legitimate macro files sent as attachments via emails
60level: medium

References

Related rules

to-top