Detectionlowtest
Office Macro File Download
Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun Jan 23Updated Wed Oct 290e29e3a7-1ad8-40aa-b691-9f82ecd33d66windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_processes:
Image|endswith:
# Email clients
- '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
- '\outlook.exe'
- '\thunderbird.exe'
# Browsers
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
selection_ext:
- TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
- TargetFilename|contains:
- '.docm:Zone'
- '.dotm:Zone'
- '.xlsm:Zone'
- '.xltm:Zone'
- '.potm:Zone'
- '.pptm:Zone'
condition: all of selection_*False Positives
Legitimate macro files downloaded from the internet
Legitimate macro files sent as attachments via emails
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
Status
test
Level
low
Type
Detection
Created
Sun Jan 23
Modified
Wed Oct 29
Path
rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml
Raw Tags
attack.initial-accessattack.t1566.001