Renamed Office Binary Execution

Detects the execution of a renamed office binary

Sigma rule (View on GitHub)

 1title: Renamed Office Binary Execution
 2id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
 3status: test
 4description: Detects the execution of a renamed office binary
 5references:
 6    - https://infosec.exchange/@sbousseaden/109542254124022664
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-12-20
 9modified: 2023-11-13
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        - OriginalFileName:
18              - 'Excel.exe'
19              - 'MSACCESS.EXE'
20              - 'MSPUB.EXE'
21              - 'OneNote.exe'
22              - 'OneNoteM.exe'
23              - 'OUTLOOK.EXE'
24              - 'POWERPNT.EXE'
25              - 'WinWord.exe'
26        - Description:
27              - 'Microsoft Access'
28              - 'Microsoft Excel'
29              - 'Microsoft OneNote'
30              - 'Microsoft Outlook'
31              - 'Microsoft PowerPoint'
32              - 'Microsoft Publisher'
33              - 'Microsoft Word'
34              - 'Sent to OneNote Tool'
35    filter_main_legit_names:
36        Image|endswith:
37            - '\EXCEL.exe'
38            - '\excelcnv.exe'
39            - '\MSACCESS.exe'
40            - '\MSPUB.EXE'
41            - '\ONENOTE.EXE'
42            - '\ONENOTEM.EXE'
43            - '\OUTLOOK.EXE'
44            - '\POWERPNT.EXE'
45            - '\WINWORD.exe'
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - Unknown
49level: high

References

Related rules

to-top