← Back to Explore
sigmahighHunting
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
Detection Query
selection1:
Image|endswith:
- \excel.exe
- \msaccess.exe
- \mspub.exe
- \powerpnt.exe
- \visio.exe
- \winword.exe
selection2:
TargetFilename|endswith:
- .bat
- .cmd
- .com
- .dll
- .exe
- .hta
- .ocx
- .proj
- .ps1
- .scf
- .scr
- .sys
- .vbe
- .vbs
- .wsf
- .wsh
filter_main_localassembly:
TargetFilename|contains: \AppData\Local\assembly\tmp\
TargetFilename|endswith: .dll
filter_optional_webservicecache:
TargetFilename|contains|all:
- C:\Users\
- \AppData\Local\Microsoft\Office\
- \WebServiceCache\AllUsers
TargetFilename|endswith: .com
filter_optional_webex:
Image|endswith: \winword.exe
TargetFilename|contains: \AppData\Local\Temp\webexdelta\
TargetFilename|endswith:
- .dll
- .exe
filter_optional_backstageinappnavcache:
TargetFilename|contains|all:
- C:\Users\
- \AppData\Local\Microsoft\Office\
- \BackstageInAppNavCache\
TargetFilename|endswith: .com
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
Created
2021-08-23
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.t1204.002attack.execution
Raw Content
title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
- attack.t1204.002
- attack.execution
logsource:
product: windows
category: file_event
detection:
# Note: Please add more file extensions to the logic of your choice.
selection1:
Image|endswith:
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
selection2:
TargetFilename|endswith:
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.ocx'
- '.proj'
- '.ps1'
- '.scf'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\WebServiceCache\AllUsers'
TargetFilename|endswith: '.com'
filter_optional_webex:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\BackstageInAppNavCache\'
TargetFilename|endswith: '.com'
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high