File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
Sigma rule (View on GitHub)
1title: File With Uncommon Extension Created By An Office Application
2id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
3status: test
4description: Detects the creation of files with an executable or script extension by an Office application.
5references:
6 - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
7 - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
8author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
9date: 2021-08-23
10modified: 2025-10-17
11tags:
12 - attack.t1204.002
13 - attack.execution
14logsource:
15 product: windows
16 category: file_event
17detection:
18 # Note: Please add more file extensions to the logic of your choice.
19 selection1:
20 Image|endswith:
21 - '\excel.exe'
22 - '\msaccess.exe'
23 - '\mspub.exe'
24 - '\powerpnt.exe'
25 - '\visio.exe'
26 - '\winword.exe'
27 selection2:
28 TargetFilename|endswith:
29 - '.bat'
30 - '.cmd'
31 - '.com'
32 - '.dll'
33 - '.exe'
34 - '.hta'
35 - '.ocx'
36 - '.proj'
37 - '.ps1'
38 - '.scf'
39 - '.scr'
40 - '.sys'
41 - '.vbe'
42 - '.vbs'
43 - '.wsf'
44 - '.wsh'
45 filter_main_localassembly:
46 TargetFilename|contains: '\AppData\Local\assembly\tmp\'
47 TargetFilename|endswith: '.dll'
48 filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
49 TargetFilename|contains|all:
50 - 'C:\Users\'
51 - '\AppData\Local\Microsoft\Office\'
52 - '\WebServiceCache\AllUsers'
53 TargetFilename|endswith: '.com'
54 filter_optional_webex:
55 Image|endswith: '\winword.exe'
56 TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
57 TargetFilename|endswith:
58 - '.dll'
59 - '.exe'
60 filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
61 TargetFilename|contains|all:
62 - 'C:\Users\'
63 - '\AppData\Local\Microsoft\Office\'
64 - '\BackstageInAppNavCache\'
65 TargetFilename|endswith: '.com'
66 condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
67falsepositives:
68 - Unknown
69level: high
References
-
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind the Travelex intrus…
Read More -
Detection Ideas & Rules repository. Contribute to vadim-hunter/Detection-Ideas-Rules development by creating an account on GitHub.
Read More
Related rules
- Potential Suspicious Browser Launch From Document Reader Process
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- Ursnif Malware C2 URL Pattern
- Suspicious Microsoft Office Child Process
- Kapeka Backdoor Loaded Via Rundll32.EXE