detection.wiki

Detection rules › Sigma

Office Macro File Download

Severity
low
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: all of selection_processes

or:
Image|endswith: '\MicrosoftEdge.exe'
Image|endswith: '\RuntimeBroker.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\chrome.exe'
Image|endswith: '\firefox.exe'
Image|endswith: '\iexplore.exe'
Image|endswith: '\maxthon.exe'
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
Image|endswith: '\opera.exe'
Image|endswith: '\outlook.exe'
Image|endswith: '\safari.exe'
Image|endswith: '\seamonkey.exe'
Image|endswith: '\thunderbird.exe'
Image|endswith: '\vivaldi.exe'
Image|endswith: '\whale.exe'

Stage 2: all of selection_ext

or:
TargetFilename|endswith: .docm
TargetFilename|endswith: .dotm
TargetFilename|endswith: .potm
TargetFilename|endswith: .pptm
TargetFilename|endswith: .xlsm
TargetFilename|endswith: .xltm
TargetFilename|contains: '.docm:Zone'
TargetFilename|contains: '.dotm:Zone'
TargetFilename|contains: '.potm:Zone'
TargetFilename|contains: '.pptm:Zone'
TargetFilename|contains: '.xlsm:Zone'
TargetFilename|contains: '.xltm:Zone'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \MicrosoftEdge.exe corpus 3 (sigma 3)
  • \RuntimeBroker.exe corpus 4 (sigma 4)
  • \brave.exe corpus 20 (sigma 20)
  • \chrome.exe corpus 11 (sigma 11)
  • \firefox.exe corpus 6 (sigma 6)
  • \iexplore.exe corpus 4 (sigma 4)
  • \maxthon.exe corpus 13 (sigma 13)
  • \msedge.exe corpus 22 (sigma 22)
  • \msedgewebview2.exe corpus 15 (sigma 15)
  • \opera.exe corpus 21 (sigma 21)
  • \outlook.exe corpus 16 (sigma 16)
  • \safari.exe corpus 12 (sigma 12)
  • \seamonkey.exe corpus 13 (sigma 13)
  • \thunderbird.exe corpus 2 (sigma 2)
  • \vivaldi.exe corpus 19 (sigma 19)
  • \whale.exe corpus 12 (sigma 12)
TargetFilenameends_with
  • .docm corpus 5 (sigma 5)
  • .dotm corpus 5 (sigma 5)
  • .potm corpus 3 (sigma 3)
  • .pptm corpus 3 (sigma 3)
  • .xlsm corpus 5 (sigma 5)
  • .xltm corpus 5 (sigma 5)
TargetFilenamematch
  • .docm:Zone corpus 2 (sigma 2)
  • .dotm:Zone
  • .potm:Zone
  • .pptm:Zone corpus 2 (sigma 2)
  • .xlsm:Zone corpus 2 (sigma 2)
  • .xltm:Zone