Suspicious Microsoft Office Child Process

calendarApr 24, 2023 · attack.defense_evasion attack.execution attack.t1047 attack.t1204.002 attack.t1218.010  ·
Share on: linkedincopy

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Sigma rule (View on GitHub)

  1title: Suspicious Microsoft Office Child Process
  2id: 438025f9-5856-4663-83f7-52f878a70a50
  3related:
  4    - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
  5      type: derived
  6    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
  7      type: derived
  8    - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
  9      type: obsoletes
 10    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
 11      type: obsoletes
 12    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
 13      type: obsoletes
 14status: test
 15description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
 16references:
 17    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
 18    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 19    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 20    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 21    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
 22    - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
 23    - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
 24    - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
 25    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
 26    - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
 27    - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
 28author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
 29date: 2018/04/06
 30modified: 2023/04/24
 31tags:
 32    - attack.defense_evasion
 33    - attack.execution
 34    - attack.t1047
 35    - attack.t1204.002
 36    - attack.t1218.010
 37logsource:
 38    category: process_creation
 39    product: windows
 40detection:
 41    selection_parent:
 42        ParentImage|endswith:
 43            - '\EQNEDT32.EXE'
 44            - '\EXCEL.EXE'
 45            - '\MSACCESS.EXE'
 46            - '\MSPUB.exe'
 47            - '\ONENOTE.EXE'
 48            - '\POWERPNT.exe'
 49            - '\VISIO.exe'
 50            - '\WINWORD.EXE'
 51            - '\wordpad.exe'
 52            - '\wordview.exe'
 53    selection_child_processes:
 54        - OriginalFileName:
 55            - 'bitsadmin.exe'
 56            - 'CertOC.exe'
 57            - 'CertUtil.exe'
 58            - 'Cmd.Exe'
 59            - 'CMSTP.EXE'
 60            - 'cscript.exe'
 61            - 'curl.exe'
 62            - 'HH.exe'
 63            - 'IEExec.exe'
 64            - 'InstallUtil.exe'
 65            - 'javaw.exe'
 66            - 'Microsoft.Workflow.Compiler.exe'
 67            - 'msdt.exe'
 68            - 'MSHTA.EXE'
 69            - 'msiexec.exe'
 70            - 'Msxsl.exe'
 71            - 'odbcconf.exe'
 72            - 'pcalua.exe'
 73            - 'PowerShell.EXE'
 74            - 'RegAsm.exe'
 75            - 'RegSvcs.exe'
 76            - 'REGSVR32.exe'
 77            - 'RUNDLL32.exe'
 78            - 'schtasks.exe'
 79            - 'ScriptRunner.exe'
 80            - 'wmic.exe'
 81            - 'WorkFolders.exe'
 82            - 'wscript.exe'
 83        - Image|endswith:
 84            - '\AppVLP.exe'
 85            - '\bash.exe'
 86            - '\bitsadmin.exe'
 87            - '\certoc.exe'
 88            - '\certutil.exe'
 89            - '\cmd.exe'
 90            - '\cmstp.exe'
 91            - '\control.exe'
 92            - '\cscript.exe'
 93            - '\curl.exe'
 94            - '\forfiles.exe'
 95            - '\hh.exe'
 96            - '\ieexec.exe'
 97            - '\installutil.exe'
 98            - '\javaw.exe'
 99            - '\mftrace.exe'
100            - '\Microsoft.Workflow.Compiler.exe'
101            - '\msbuild.exe'
102            - '\msdt.exe'
103            - '\mshta.exe'
104            - '\msidb.exe'
105            - '\msiexec.exe'
106            - '\msxsl.exe'
107            - '\odbcconf.exe'
108            - '\pcalua.exe'
109            - '\powershell.exe'
110            - '\pwsh.exe'
111            - '\regasm.exe'
112            - '\regsvcs.exe'
113            - '\regsvr32.exe'
114            - '\rundll32.exe'
115            - '\schtasks.exe'
116            - '\scrcons.exe'
117            - '\scriptrunner.exe'
118            - '\sh.exe'
119            - '\svchost.exe'
120            - '\verclsid.exe'
121            - '\wmic.exe'
122            - '\workfolders.exe'
123            - '\wscript.exe'
124    selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
125        Image|contains:
126            - '\AppData\'
127            - '\Users\Public\'
128            - '\ProgramData\'
129            - '\Windows\Tasks\'
130            - '\Windows\Temp\'
131            - '\Windows\System32\Tasks\'
132    condition: selection_parent and 1 of selection_child_*
133falsepositives:
134    - Unknown
135level: high

Related rules

to-top