Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Sigma rule (View on GitHub)
1title: Suspicious Binary In User Directory Spawned From Office Application
2id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
3status: test
4description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
5references:
6 - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
7 - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
8author: Jason Lynch
9date: 2019/04/02
10modified: 2023/02/04
11tags:
12 - attack.execution
13 - attack.t1204.002
14 - attack.g0046
15 - car.2013-05-002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith:
22 - '\WINWORD.EXE'
23 - '\EXCEL.EXE'
24 - '\POWERPNT.exe'
25 - '\MSPUB.exe'
26 - '\VISIO.exe'
27 - '\MSACCESS.exe'
28 - '\EQNEDT32.exe'
29 # - '\OUTLOOK.EXE' too many FPs
30 Image|startswith: 'C:\users\'
31 Image|endswith: '.exe'
32 filter:
33 Image|endswith: '\Teams.exe'
34 condition: selection and not filter
35fields:
36 - CommandLine
37 - ParentCommandLine
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Suspicious Microsoft Office Child Process - MacOS
- Potential APT FIN7 POWERHOLD Execution
- Potential POWERTRASH Script Execution
- Suspicious WmiPrvSE Child Process
- File With Uncommon Extension Created By An Office Application