EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious New Instance Of An Office COM Object

Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)

Detection Query

selection:
  ParentImage|endswith: \svchost.exe
  Image|endswith:
    - \eqnedt32.exe
    - \excel.exe
    - \msaccess.exe
    - \mspub.exe
    - \powerpnt.exe
    - \visio.exe
    - \winword.exe
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-10-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.defense-evasiondetection.threat-hunting
Raw Content
title: Suspicious New Instance Of An Office COM Object
id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28
status: test
description: |
    Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
    This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
references:
    - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
    - https://github.com/med0x2e/vba2clr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-13
modified: 2023-12-19
tags:
    - attack.execution
    - attack.defense-evasion
    - detection.threat-hunting
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith:
            - '\eqnedt32.exe'
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    condition: selection
falsepositives:
    - Legitimate usage of office automation via scripting
level: medium