Detectionhightest

Potentially Suspicious Office Document Executed From Trusted Location

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 21Updated Wed Oct 18f99abdf0-6283-4e71-bd2b-b5c048a94743windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
        ParentImage|endswith:
            - '\explorer.exe'
            - '\dopus.exe'
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_trusted_location:
        CommandLine|contains:
            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover
            - '\AppData\Roaming\Microsoft\Templates'
            - '\AppData\Roaming\Microsoft\Word\Startup\'
            - '\Microsoft Office\root\Templates\'
            - '\Microsoft Office\Templates\'
    filter_main_dotx:
        # Note: We add this filter to avoid curious people clicking on template files
        CommandLine|endswith:
            - '.dotx'
            - '.xltx'
            - '.potx'
    condition: all of selection_* and not 1 of filter_main_*