← Back to Explore
sigmahighHunting
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
Detection Query
selection_word_paths:
- TargetFilename|contains: \Microsoft\Word\STARTUP
- TargetFilename|contains|all:
- \Office
- \Program Files
- \STARTUP
filter_exclude_word_ext:
TargetFilename|endswith:
- .docb
- .docm
- .docx
- .dotm
- .mdb
- .mdw
- .pdf
- .wll
- .wwl
selection_excel_paths:
- TargetFilename|contains: \Microsoft\Excel\XLSTART
- TargetFilename|contains|all:
- \Office
- \Program Files
- \XLSTART
filter_exclude_excel_ext:
TargetFilename|endswith:
- .xll
- .xls
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xlw
filter_main_office_click_to_run:
Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
Image|endswith: \OfficeClickToRun.exe
filter_main_office_apps:
Image|contains:
- :\Program Files\Microsoft Office\
- :\Program Files (x86)\Microsoft Office\
Image|endswith:
- \winword.exe
- \excel.exe
condition: ((selection_word_paths and not filter_exclude_word_ext) or
(selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of
filter_main_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-05
Data Sources
windowsFile Events
Platforms
windows
References
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
Tags
attack.resource-developmentattack.t1587.001
Raw Content
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high