Potentially Suspicious Office Document Executed From Trusted Location

calendar Sep 2, 2024 · attack.defense-evasion attack.t1202  ·
Share on: linkedin copy

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Office Document Executed From Trusted Location
 2id: f99abdf0-6283-4e71-bd2b-b5c048a94743
 3status: test
 4description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
 5references:
 6    - Internal Research
 7    - https://twitter.com/Max_Mal_/status/1633863678909874176
 8    - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
 9    - https://twitter.com/_JohnHammond/status/1588155401752788994
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-06-21
12modified: 2023-10-18
13tags:
14    - attack.defense-evasion
15    - attack.t1202
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
22        ParentImage|endswith:
23            - '\explorer.exe'
24            - '\dopus.exe'
25    selection_img:
26        - Image|endswith:
27              - '\EXCEL.EXE'
28              - '\POWERPNT.EXE'
29              - '\WINWORD.exe'
30        - OriginalFileName:
31              - 'Excel.exe'
32              - 'POWERPNT.EXE'
33              - 'WinWord.exe'
34    selection_trusted_location:
35        CommandLine|contains:
36            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover
37            - '\AppData\Roaming\Microsoft\Templates'
38            - '\AppData\Roaming\Microsoft\Word\Startup\'
39            - '\Microsoft Office\root\Templates\'
40            - '\Microsoft Office\Templates\'
41    filter_main_dotx:
42        # Note: We add this filter to avoid curious people clicking on template files
43        CommandLine|endswith:
44            - '.dotx'
45            - '.xltx'
46            - '.potx'
47    condition: all of selection_* and not 1 of filter_main_*
48falsepositives:
49    - Unknown
50level: high

References

Related rules

to-top