Uncommon File Created In Office Startup Folder

 1title: Uncommon File Created In Office Startup Folder
 2id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
 3status: test
 4description: Detects the creation of a file with an uncommon extension in an Office application startup folder
 5references:
 6    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
 7    - http://addbalance.com/word/startup.htm
 8    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
 9    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
10author: frack113, Nasreddine Bencherchali (Nextron Systems)
11date: 2022-06-05
12modified: 2023-12-13
13tags:
14    - attack.resource-development
15    - attack.t1587.001
16logsource:
17    product: windows
18    category: file_event
19detection:
20    selection_word_paths:
21        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
22        - TargetFilename|contains|all:
23              - '\Office'
24              - '\Program Files'
25              - '\STARTUP'
26    filter_exclude_word_ext:
27        TargetFilename|endswith:
28            - '.docb' # Word binary document introduced in Microsoft Office 2007
29            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
30            - '.docx' # Word document
31            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
32            - '.mdb' # MS Access DB
33            - '.mdw' # MS Access DB
34            - '.pdf' # PDF documents
35            - '.wll' # Word add-in
36            - '.wwl' # Word add-in
37    selection_excel_paths:
38        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
39        - TargetFilename|contains|all:
40              - '\Office'
41              - '\Program Files'
42              - '\XLSTART'
43    filter_exclude_excel_ext:
44        TargetFilename|endswith:
45            - '.xll'
46            - '.xls'
47            - '.xlsm'
48            - '.xlsx'
49            - '.xlt'
50            - '.xltm'
51            - '.xlw'
52    filter_main_office_click_to_run:
53        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
54        Image|endswith: '\OfficeClickToRun.exe'
55    filter_main_office_apps:
56        Image|contains:
57            - ':\Program Files\Microsoft Office\'
58            - ':\Program Files (x86)\Microsoft Office\'
59        Image|endswith:
60            - '\winword.exe'
61            - '\excel.exe'
62    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
63falsepositives:
64    - False positive might stem from rare extensions used by other Office utilities.
65level: high

References

• Analysis download(1).doc (MD5: 14F4C470C207E22C3B0A4EFA7B4200E8) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Startup Folder in Microsoft Word

  

  Where can I find the Word Startup folder? What is the Word Startup folder?

  
  Read More

• Redirecting

  
  Read More

• List of Microsoft Office filename extensions - Wikipedia

  The following is a list of filename extensions used by programs in the Microsoft Office suite. Legacy Legacy filename extensions denote binary Microsoft Word formatting that became outdated with th...

  
  Read More

Related rules

• Conti Volume Shadow Listing
• Formbook Process Creation
• Mustang Panda Dropper
• PUA - CsExec Execution
• Potential Privilege Escalation To LOCAL SYSTEM