Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Sigma rule (View on GitHub)
1title: Suspicious Binary In User Directory Spawned From Office Application
2id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
3status: test
4description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
5references:
6 - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
7 - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
8author: Jason Lynch
9date: 2019-04-02
10modified: 2023-02-04
11tags:
12 - attack.execution
13 - attack.t1204.002
14 - attack.g0046
15 - car.2013-05-002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith:
22 - '\WINWORD.EXE'
23 - '\EXCEL.EXE'
24 - '\POWERPNT.exe'
25 - '\MSPUB.exe'
26 - '\VISIO.exe'
27 - '\MSACCESS.exe'
28 - '\EQNEDT32.exe'
29 # - '\OUTLOOK.EXE' too many FPs
30 Image|startswith: 'C:\users\'
31 Image|endswith: '.exe'
32 filter:
33 Image|endswith: '\Teams.exe'
34 condition: selection and not filter
35fields:
36 - CommandLine
37 - ParentCommandLine
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- Active Directory Parsing DLL Loaded Via Office Application
- CLR DLL Loaded Via Office Applications
- DotNET Assembly DLL Loaded Via Office Application
- Download From Suspicious TLD - Blacklist