EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potentially Suspicious Office Document Executed From Trusted Location

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

MITRE ATT&CK

T1202
defense-evasion

Detection Query

selection_parent:
  ParentImage|endswith:
    - \explorer.exe
    - \dopus.exe
selection_img:
  - Image|endswith:
      - \EXCEL.EXE
      - \POWERPNT.EXE
      - \WINWORD.exe
  - OriginalFileName:
      - Excel.exe
      - POWERPNT.EXE
      - WinWord.exe
selection_trusted_location:
  CommandLine|contains:
    - \AppData\Roaming\Microsoft\Templates
    - \AppData\Roaming\Microsoft\Word\Startup\
    - \Microsoft Office\root\Templates\
    - \Microsoft Office\Templates\
filter_main_dotx:
  CommandLine|endswith:
    - .dotx
    - .xltx
    - .potx
condition: all of selection_* and not 1 of filter_main_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-06-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1202
Raw Content
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
    - Internal Research
    - https://twitter.com/Max_Mal_/status/1633863678909874176
    - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
    - https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
        ParentImage|endswith:
            - '\explorer.exe'
            - '\dopus.exe'
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_trusted_location:
        CommandLine|contains:
            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover
            - '\AppData\Roaming\Microsoft\Templates'
            - '\AppData\Roaming\Microsoft\Word\Startup\'
            - '\Microsoft Office\root\Templates\'
            - '\Microsoft Office\Templates\'
    filter_main_dotx:
        # Note: We add this filter to avoid curious people clicking on template files
        CommandLine|endswith:
            - '.dotx'
            - '.xltx'
            - '.potx'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high