Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
Sigma rule (View on GitHub)
1title: Office Macro File Creation From Suspicious Process
2id: b1c50487-1967-4315-a026-6491686d860e
3status: test
4description: Detects the creation of a office macro file from a a suspicious process
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
7 - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2022-01-23
10modified: 2023-02-22
11tags:
12 - attack.initial-access
13 - attack.t1566.001
14logsource:
15 category: file_event
16 product: windows
17 definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
18detection:
19 selection_cmd:
20 - Image|endswith:
21 - '\cscript.exe'
22 - '\mshta.exe'
23 - '\regsvr32.exe'
24 - '\rundll32.exe'
25 - '\wscript.exe'
26 # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
27 - ParentImage|endswith:
28 - '\cscript.exe'
29 - '\mshta.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\wscript.exe'
33 selection_ext:
34 TargetFilename|endswith:
35 - '.docm'
36 - '.dotm'
37 - '.xlsm'
38 - '.xltm'
39 - '.potm'
40 - '.pptm'
41 condition: all of selection_*
42falsepositives:
43 - Unknown
44level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML Help HH.EXE Suspicious Child Process
- ISO Image Mounted
- ISO or Image Mount Indicator in Recent Files