Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Uncommon File Created In Office Startup Folder

Detects the creation of a file with an uncommon extension in an Office application startup folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sun Jun 05Updated Wed Dec 13a10a2c40-2c4d-49f8-b557-1a946bc55d9dwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic6 selectors
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    filter_exclude_word_ext:
        TargetFilename|endswith:
            - '.docb' # Word binary document introduced in Microsoft Office 2007
            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
            - '.docx' # Word document
            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
            - '.mdb' # MS Access DB
            - '.mdw' # MS Access DB
            - '.pdf' # PDF documents
            - '.wll' # Word add-in
            - '.wwl' # Word add-in
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    filter_exclude_excel_ext:
        TargetFilename|endswith:
            - '.xll'
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
            - '.xlw'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\winword.exe'
            - '\excel.exe'
    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
False Positives

False positive might stem from rare extensions used by other Office utilities.

References
1
Resolving title…
app.any.run
2
Resolving title…
addbalance.com
3
Resolving title…
answers.microsoft.com
4
Resolving title…
en.wikipedia.org
MITRE ATT&CK

Sub-techniques

T1587.001 · Malware
Rule Metadata
Rule ID
a10a2c40-2c4d-49f8-b557-1a946bc55d9d
Status
test
Level
high
Type
Detection
Created
Sun Jun 05
Modified
Wed Dec 13
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml
Raw Tags
attack.resource-developmentattack.t1587.001
View on GitHub