Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

File With Uncommon Extension Created By An Office Application

Detects the creation of files with an executable or script extension by an Office application.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Vadim Khrykov (ThreatIntel), Cyb3rEng, Nasreddine Bencherchali (Nextron Systems)Created Mon Aug 23Updated Fri Oct 17c7a74c80-ba5a-486e-9974-ab9e682bc5e4windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic6 selectors
detection:
    # Note: Please add more file extensions to the logic of your choice.
    selection1:
        Image|endswith:
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    selection2:
        TargetFilename|endswith:
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ocx'
            - '.proj'
            - '.ps1'
            - '.scf'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    filter_main_localassembly:
        TargetFilename|contains: '\AppData\Local\assembly\tmp\'
        TargetFilename|endswith: '.dll'
    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\WebServiceCache\AllUsers'
        TargetFilename|endswith: '.com'
    filter_optional_webex:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\BackstageInAppNavCache\'
        TargetFilename|endswith: '.com'
    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
thedfirreport.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
c7a74c80-ba5a-486e-9974-ab9e682bc5e4
Status
test
Level
high
Type
Detection
Created
Mon Aug 23
Modified
Fri Oct 17
Author
Vadim Khrykov (ThreatIntel), Cyb3rEng, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml
Raw Tags
attack.t1204.002attack.execution
View on GitHub