Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
Sigma rule (View on GitHub)
1title: Potential Arbitrary File Download Using Office Application
2id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
3related:
4 - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
5 type: obsoletes
6status: experimental
7description: Detects potential arbitrary file download using a Microsoft Office application
8references:
9 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
10 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
12 - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
13author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
14date: 2022/05/17
15modified: 2023/06/22
16tags:
17 - attack.defense_evasion
18 - attack.t1202
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith:
25 - '\EXCEL.EXE'
26 - '\POWERPNT.EXE'
27 - '\WINWORD.exe'
28 - OriginalFileName:
29 - 'Excel.exe'
30 - 'POWERPNT.EXE'
31 - 'WinWord.exe'
32 selection_http:
33 CommandLine|contains:
34 - 'http://'
35 - 'https://'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Renamed PAExec Execution
- Suspicious Child Process Of BgInfo.EXE
- Potential Binary Impersonating Sysinternals Tools
- Suspicious Cmdl32 Execution
- Suspicious High IntegrityLevel Conhost Legacy Option