Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation

calendar Aug 21, 2023  ·
Share on: linkedin copy

Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.

Sublime rule (View on GitHub)

 1name: "Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation"
 2description: |
 3    Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
 4references:
 5  - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
 6  - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
 7type: "rule"
 8authors:
 9  - twitter: "ajpc500"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          .file_extension in~ (
15            // MS Word
16            "doc",
17            "docm",
18            "docx",
19            "dot",
20            "dotm",
21            // MS Excel
22            "xls",
23            "xlsx",
24            "xlsm",
25            "xlm",
26            "xlsb",
27            "xlt",
28            "xltm",
29            // MS PowerPoint
30            "ppt",
31            "pptx",
32            "pptm",
33            "ppsm"
34          )
35          and any(file.explode(.),
36                  any(.scan.strings.strings,
37                      strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*")
38                  )
39          )
40  )  
41attack_types:
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "Macros"
45  - "Scripting"
46detection_methods:
47  - "Content analysis"
48  - "File analysis"
49  - "Macro analysis"
50id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"
to-top