Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation
Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
Sublime rule (View on GitHub)
1name: "Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation"
2description: |
3 Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
4references:
5 - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
6 - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
7type: "rule"
8authors:
9 - twitter: "ajpc500"
10severity: "high"
11source: |
12 type.inbound
13 and any(attachments,
14 (
15 .file_extension in~ $file_extensions_macros
16 or (
17 .file_extension is null
18 and .file_type == "unknown"
19 and .content_type == "application/octet-stream"
20 and .size < 100000000
21 )
22 )
23 and any(file.explode(.),
24 any(.scan.strings.strings,
25 strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*")
26 )
27 )
28 )
29attack_types:
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Macros"
33 - "Scripting"
34detection_methods:
35 - "Content analysis"
36 - "File analysis"
37 - "Macro analysis"
38id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"