File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
Sigma rule (View on GitHub)
1title: File With Uncommon Extension Created By An Office Application
2id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
3status: test
4description: Detects the creation of files with an executable or script extension by an Office application.
5references:
6 - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
7 - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
8author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
9date: 2021/08/23
10modified: 2023/06/22
11tags:
12 - attack.t1204.002
13 - attack.execution
14logsource:
15 product: windows
16 category: file_event
17detection:
18 # Note: Please add more file extensions to the logic of your choice.
19 selection1:
20 Image|endswith:
21 - '\excel.exe'
22 - '\msaccess.exe'
23 - '\mspub.exe'
24 - '\powerpnt.exe'
25 - '\visio.exe'
26 - '\winword.exe'
27 selection2:
28 TargetFilename|endswith:
29 - '.bat'
30 - '.cmd'
31 - '.com'
32 - '.dll'
33 - '.exe'
34 - '.hta'
35 - '.ocx'
36 - '.proj'
37 - '.ps1'
38 - '.scf'
39 - '.scr'
40 - '.sys'
41 - '.vbe'
42 - '.vbs'
43 - '.wsf'
44 - '.wsh'
45 filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
46 TargetFilename|contains|all:
47 - 'C:\Users\'
48 - '\AppData\Local\Microsoft\Office\'
49 - '\WebServiceCache\AllUsers'
50 TargetFilename|endswith: '.com'
51 filter_optional_webex:
52 Image|endswith: '\winword.exe'
53 TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
54 TargetFilename|endswith:
55 - '.dll'
56 - '.exe'
57 filter_main_localassembly:
58 TargetFilename|contains: '\AppData\Local\assembly\tmp\'
59 TargetFilename|endswith: '.dll'
60 condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
61falsepositives:
62 - Unknown
63level: high
References
-
Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind the Travelex intrusion and current reports point to an attack against Acer for a reported $50 million ransom demand.
Read More -
Detection Ideas & Rules repository. Contribute to vadim-hunter/Detection-Ideas-Rules development by creating an account on GitHub.
Read More
Related rules
- Droppers Exploiting CVE-2017-11882
- Microsoft Excel Add-In Loaded From Uncommon Location
- Microsoft VBA For Outlook Addin Loaded Via Outlook
- Ursnif Malware C2 URL Pattern
- Download From Suspicious TLD - Whitelist