Detection rules › Sigma

Office Macro File Creation From Suspicious Process

Status
test
Severity
high
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the creation of a office macro file from a a suspicious process

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
    definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
    selection_cmd:
        - Image|endswith:
              - '\cscript.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
        - ParentImage|endswith:
              - '\cscript.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
    selection_ext:
        TargetFilename|endswith:
            - '.docm'
            - '.dotm'
            - '.xlsm'
            - '.xltm'
            - '.potm'
            - '.pptm'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_cmd

selection_cmd:
    - Image|endswith:
          - '\cscript.exe'
          - '\mshta.exe'
          - '\regsvr32.exe'
          - '\rundll32.exe'
          - '\wscript.exe'
    # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
    - ParentImage|endswith:
          - '\cscript.exe'
          - '\mshta.exe'
          - '\regsvr32.exe'
          - '\rundll32.exe'
          - '\wscript.exe'

Stage 2: selection_ext

selection_ext:
    TargetFilename|endswith:
        - '.docm'
        - '.dotm'
        - '.xlsm'
        - '.xltm'
        - '.potm'
        - '.pptm'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cscript.exe corpus 76 (sigma 76)
  • \mshta.exe corpus 69 (sigma 69)
  • \regsvr32.exe corpus 68 (sigma 68)
  • \rundll32.exe corpus 103 (sigma 103)
  • \wscript.exe corpus 78 (sigma 78)
ParentImageends_with
  • \cscript.exe corpus 18 (sigma 18)
  • \mshta.exe corpus 14 (sigma 14)
  • \regsvr32.exe corpus 12 (sigma 12)
  • \rundll32.exe corpus 17 (sigma 17)
  • \wscript.exe corpus 20 (sigma 20)
TargetFilenameends_with
  • .docm corpus 5 (sigma 5)
  • .dotm corpus 5 (sigma 5)
  • .potm corpus 3 (sigma 3)
  • .pptm corpus 3 (sigma 3)
  • .xlsm corpus 5 (sigma 5)
  • .xltm corpus 5 (sigma 5)