Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Sigma rule (View on GitHub)
1title: Suspicious Microsoft Office Child Process
2id: 438025f9-5856-4663-83f7-52f878a70a50
3related:
4 - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
5 type: derived
6 - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
7 type: derived
8 - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
9 type: obsoletes
10 - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
11 type: obsoletes
12 - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
13 type: obsoletes
14status: test
15description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
16references:
17 - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
18 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
19 - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
20 - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
21 - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
22 - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
23 - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
24 - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
25 - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
26 - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
27 - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
28author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
29date: 2018/04/06
30modified: 2023/04/24
31tags:
32 - attack.defense_evasion
33 - attack.execution
34 - attack.t1047
35 - attack.t1204.002
36 - attack.t1218.010
37logsource:
38 category: process_creation
39 product: windows
40detection:
41 selection_parent:
42 ParentImage|endswith:
43 - '\EQNEDT32.EXE'
44 - '\EXCEL.EXE'
45 - '\MSACCESS.EXE'
46 - '\MSPUB.exe'
47 - '\ONENOTE.EXE'
48 - '\POWERPNT.exe'
49 - '\VISIO.exe'
50 - '\WINWORD.EXE'
51 - '\wordpad.exe'
52 - '\wordview.exe'
53 selection_child_processes:
54 - OriginalFileName:
55 - 'bitsadmin.exe'
56 - 'CertOC.exe'
57 - 'CertUtil.exe'
58 - 'Cmd.Exe'
59 - 'CMSTP.EXE'
60 - 'cscript.exe'
61 - 'curl.exe'
62 - 'HH.exe'
63 - 'IEExec.exe'
64 - 'InstallUtil.exe'
65 - 'javaw.exe'
66 - 'Microsoft.Workflow.Compiler.exe'
67 - 'msdt.exe'
68 - 'MSHTA.EXE'
69 - 'msiexec.exe'
70 - 'Msxsl.exe'
71 - 'odbcconf.exe'
72 - 'pcalua.exe'
73 - 'PowerShell.EXE'
74 - 'RegAsm.exe'
75 - 'RegSvcs.exe'
76 - 'REGSVR32.exe'
77 - 'RUNDLL32.exe'
78 - 'schtasks.exe'
79 - 'ScriptRunner.exe'
80 - 'wmic.exe'
81 - 'WorkFolders.exe'
82 - 'wscript.exe'
83 - Image|endswith:
84 - '\AppVLP.exe'
85 - '\bash.exe'
86 - '\bitsadmin.exe'
87 - '\certoc.exe'
88 - '\certutil.exe'
89 - '\cmd.exe'
90 - '\cmstp.exe'
91 - '\control.exe'
92 - '\cscript.exe'
93 - '\curl.exe'
94 - '\forfiles.exe'
95 - '\hh.exe'
96 - '\ieexec.exe'
97 - '\installutil.exe'
98 - '\javaw.exe'
99 - '\mftrace.exe'
100 - '\Microsoft.Workflow.Compiler.exe'
101 - '\msbuild.exe'
102 - '\msdt.exe'
103 - '\mshta.exe'
104 - '\msidb.exe'
105 - '\msiexec.exe'
106 - '\msxsl.exe'
107 - '\odbcconf.exe'
108 - '\pcalua.exe'
109 - '\powershell.exe'
110 - '\pwsh.exe'
111 - '\regasm.exe'
112 - '\regsvcs.exe'
113 - '\regsvr32.exe'
114 - '\rundll32.exe'
115 - '\schtasks.exe'
116 - '\scrcons.exe'
117 - '\scriptrunner.exe'
118 - '\sh.exe'
119 - '\svchost.exe'
120 - '\verclsid.exe'
121 - '\wmic.exe'
122 - '\workfolders.exe'
123 - '\wscript.exe'
124 selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
125 Image|contains:
126 - '\AppData\'
127 - '\Users\Public\'
128 - '\ProgramData\'
129 - '\Windows\Tasks\'
130 - '\Windows\Temp\'
131 - '\Windows\System32\Tasks\'
132 condition: selection_parent and 1 of selection_child_*
133falsepositives:
134 - Unknown
135level: high
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
-
Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind the Travelex intrusion and current reports point to an attack against Acer for a reported $50 million ransom demand.
Read More -
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:
Read More -
Detection Ideas & Rules repository. Contribute to vadim-hunter/Detection-Ideas-Rules development by creating an account on GitHub.
Read More -
Splunk Security Content. Contribute to splunk/security_content development by creating an account on GitHub.
Read More -
-
The Elastic Security Labs team has been tracking REF2731, an 5-stage intrusion set involving the PARALLAX loader and the NETWIRE RAT.
Read More -
-
5/5 Local AV Malicious content was detected by heuristic scan - Local AV match on Sample File for "C:\Users\aETAdzjz\Desktop\emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485...
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- File Creation by Office Applications
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Potential SquiblyTwo Technique Execution
- DNS Query Request By Regsvr32.EXE