Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
Sigma rule (View on GitHub)
1title: Office Macro File Creation From Suspicious Process
2id: b1c50487-1967-4315-a026-6491686d860e
3status: test
4description: Detects the creation of a office macro file from a a suspicious process
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
7 - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2022/01/23
10modified: 2023/02/22
11tags:
12 - attack.initial_access
13 - attack.t1566.001
14logsource:
15 category: file_event
16 product: windows
17 definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
18detection:
19 selection_cmd:
20 - Image|endswith:
21 - '\cscript.exe'
22 - '\mshta.exe'
23 - '\regsvr32.exe'
24 - '\rundll32.exe'
25 - '\wscript.exe'
26 # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
27 - ParentImage|endswith:
28 - '\cscript.exe'
29 - '\mshta.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\wscript.exe'
33 selection_ext:
34 TargetFilename|endswith:
35 - '.docm'
36 - '.dotm'
37 - '.xlsm'
38 - '.xltm'
39 - '.potm'
40 - '.pptm'
41 condition: all of selection_*
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- Suspicious Microsoft OneNote Child Process
- ISO Image Mounted
- Potential Initial Access via DLL Search Order Hijacking
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- ISO File Created Within Temp Folders