← Back to Explore
sigmahighHunting
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Detection Query
selection:
- OriginalFileName:
- Excel.exe
- MSACCESS.EXE
- MSPUB.EXE
- OneNote.exe
- OneNoteM.exe
- OUTLOOK.EXE
- POWERPNT.EXE
- WinWord.exe
- Olk.exe
- Description:
- Microsoft Access
- Microsoft Excel
- Microsoft OneNote
- Microsoft Outlook
- Microsoft PowerPoint
- Microsoft Publisher
- Microsoft Word
- Sent to OneNote Tool
filter_main_legit_names:
Image|endswith:
- \EXCEL.exe
- \excelcnv.exe
- \MSACCESS.exe
- \MSPUB.EXE
- \ONENOTE.EXE
- \ONENOTEM.EXE
- \OUTLOOK.EXE
- \POWERPNT.EXE
- \WINWORD.exe
- \OLK.EXE
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-12-20
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1036.003
Raw Content
title: Renamed Office Binary Execution
id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
status: test
description: Detects the execution of a renamed office binary
references:
- https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2025-12-09
tags:
- attack.defense-evasion
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName:
- 'Excel.exe'
- 'MSACCESS.EXE'
- 'MSPUB.EXE'
- 'OneNote.exe'
- 'OneNoteM.exe'
- 'OUTLOOK.EXE'
- 'POWERPNT.EXE'
- 'WinWord.exe'
- 'Olk.exe'
- Description:
- 'Microsoft Access'
- 'Microsoft Excel'
- 'Microsoft OneNote'
- 'Microsoft Outlook'
- 'Microsoft PowerPoint'
- 'Microsoft Publisher'
- 'Microsoft Word'
- 'Sent to OneNote Tool'
filter_main_legit_names:
Image|endswith:
- '\EXCEL.exe'
- '\excelcnv.exe'
- '\MSACCESS.exe'
- '\MSPUB.EXE'
- '\ONENOTE.EXE'
- '\ONENOTEM.EXE'
- '\OUTLOOK.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- '\OLK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high