Renamed Office Binary Execution
Detects the execution of a renamed office binary
Sigma rule (View on GitHub)
1title: Renamed Office Binary Execution
2id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
3status: test
4description: Detects the execution of a renamed office binary
5references:
6 - https://infosec.exchange/@sbousseaden/109542254124022664
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-20
9modified: 2023-11-13
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - OriginalFileName:
18 - 'Excel.exe'
19 - 'MSACCESS.EXE'
20 - 'MSPUB.EXE'
21 - 'OneNote.exe'
22 - 'OneNoteM.exe'
23 - 'OUTLOOK.EXE'
24 - 'POWERPNT.EXE'
25 - 'WinWord.exe'
26 - Description:
27 - 'Microsoft Access'
28 - 'Microsoft Excel'
29 - 'Microsoft OneNote'
30 - 'Microsoft Outlook'
31 - 'Microsoft PowerPoint'
32 - 'Microsoft Publisher'
33 - 'Microsoft Word'
34 - 'Sent to OneNote Tool'
35 filter_main_legit_names:
36 Image|endswith:
37 - '\EXCEL.exe'
38 - '\excelcnv.exe'
39 - '\MSACCESS.exe'
40 - '\MSPUB.EXE'
41 - '\ONENOTE.EXE'
42 - '\ONENOTEM.EXE'
43 - '\OUTLOOK.EXE'
44 - '\POWERPNT.EXE'
45 - '\WINWORD.exe'
46 condition: selection and not 1 of filter_main_*
47falsepositives:
48 - Unknown
49level: high
References
-
Attached: 3 images weird ISO sample, contains renamed winword.exe used to sideload MSVCR100.dll which just sets persistence via winlogon_shell & a bunch of envars to obfuscate things (cache file wct73DF.tmp is not dropped!) bcb7e369adf827fb23521c60b7a29486a267bfe4fa11ee4de8dccb3328e2dc0f
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity