Renamed Office Binary Execution
Detects the execution of a renamed office binary
Sigma rule (View on GitHub)
1title: Renamed Office Binary Execution
2id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
3status: test
4description: Detects the execution of a renamed office binary
5references:
6 - https://infosec.exchange/@sbousseaden/109542254124022664
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-20
9modified: 2025-12-09
10tags:
11 - attack.defense-evasion
12 - attack.t1036.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - OriginalFileName:
19 - 'Excel.exe'
20 - 'MSACCESS.EXE'
21 - 'MSPUB.EXE'
22 - 'OneNote.exe'
23 - 'OneNoteM.exe'
24 - 'OUTLOOK.EXE'
25 - 'POWERPNT.EXE'
26 - 'WinWord.exe'
27 - 'Olk.exe'
28 - Description:
29 - 'Microsoft Access'
30 - 'Microsoft Excel'
31 - 'Microsoft OneNote'
32 - 'Microsoft Outlook'
33 - 'Microsoft PowerPoint'
34 - 'Microsoft Publisher'
35 - 'Microsoft Word'
36 - 'Sent to OneNote Tool'
37 filter_main_legit_names:
38 Image|endswith:
39 - '\EXCEL.exe'
40 - '\excelcnv.exe'
41 - '\MSACCESS.exe'
42 - '\MSPUB.EXE'
43 - '\ONENOTE.EXE'
44 - '\ONENOTEM.EXE'
45 - '\OUTLOOK.EXE'
46 - '\POWERPNT.EXE'
47 - '\WINWORD.exe'
48 - '\OLK.EXE'
49 condition: selection and not 1 of filter_main_*
50falsepositives:
51 - Unknown
52level: high
References
-
Attached: 3 images weird ISO sample, contains renamed winword.exe used to sideload MSVCR100.dll which just sets persistence via winlogon_shell & a bunch of envars to obfuscate things (cache file wct73DF.tmp is not dropped!) bcb7e369adf827fb23521c60b7a29486a267bfe4fa11ee4de8dccb3328e2dc0f
Read More
Related rules
- Masquerading as Linux Crond Process
- LOL-Binary Copied From System Directory
- Suspicious Copy From or To System Directory
- Renamed Schtasks Execution
- Potential Defense Evasion Via Binary Rename