Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation

calendar Dec 19, 2023  ·
Share on: linkedin copy

Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.

Sublime rule (View on GitHub)

 1name: "Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation"
 2description: |
 3    Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
 4references:
 5  - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
 6  - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
 7type: "rule"
 8authors:
 9  - twitter: "ajpc500"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ $file_extensions_macros
16            or (
17                .file_extension is null
18                and .file_type == "unknown"
19                and .content_type == "application/octet-stream"
20                and .size < 100000000
21            )
22          )
23          and any(file.explode(.),
24                  any(.scan.strings.strings,
25                      strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*")
26                  )
27          )
28  )  
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Macros"
33  - "Scripting"
34detection_methods:
35  - "Content analysis"
36  - "File analysis"
37  - "Macro analysis"
38id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"
to-top