Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Binary In User Directory Spawned From Office Application

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Jason LynchCreated Tue Apr 02Updated Sat Feb 04aa3a6f94-890e-4e22-b634-ffdfd54792ccwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.exe'
            - '\EQNEDT32.exe'
            # - '\OUTLOOK.EXE' too many FPs
        Image|startswith: 'C:\users\'
        Image|endswith: '.exe'
    filter:
        Image|endswith: '\Teams.exe'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.morphisec.com
2
Resolving title…
virustotal.com
MITRE ATT&CK

CAR Analytics

2013-05-002 · CAR 2013-05-002
Rule Metadata
Rule ID
aa3a6f94-890e-4e22-b634-ffdfd54792cc
Status
test
Level
high
Type
Detection
Created
Tue Apr 02
Modified
Sat Feb 04
Author
Jason Lynch
Path
rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml
Raw Tags
attack.executionattack.t1204.002attack.g0046car.2013-05-002
View on GitHub