Detectionhightest
Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sun Jan 23Updated Wed Feb 22b1c50487-1967-4315-a026-6491686d860ewindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Definition
Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data
Detection Logic
Detection Logic2 selectors
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
b1c50487-1967-4315-a026-6491686d860e
Status
test
Level
high
Type
Detection
Created
Sun Jan 23
Modified
Wed Feb 22
Path
rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml
Raw Tags
attack.initial-accessattack.t1566.001