← Back to Explore
sublimehighRule
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
"*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*"
)
)
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation"
description: |
Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
references:
- "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
- "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
type: "rule"
authors:
- twitter: "ajpc500"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
"*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*"
)
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Macros"
- "Scripting"
detection_methods:
- "Content analysis"
- "File analysis"
- "Macro analysis"
id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"