← Back to Explore
sigmahighHunting
Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
Detection Query
selection_cmd:
- Image|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- ParentImage|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
selection_ext:
TargetFilename|endswith:
- .docm
- .dotm
- .xlsm
- .xltm
- .potm
- .pptm
condition: all of selection_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2022-01-23
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.initial-accessattack.t1566.001
Raw Content
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high