Detection rules › Sigma
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1137 Office Application Startup |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: all of selection_word_paths
or:
TargetFilename|contains: '\Office'
TargetFilename|contains: '\Program Files'
TargetFilename|contains: '\STARTUP'
TargetFilename|contains: '\Microsoft\Word\STARTUP'
Stage 2: all of selection_word_extension
or:
TargetFilename|endswith: .doc
TargetFilename|endswith: .docm
TargetFilename|endswith: .docx
TargetFilename|endswith: .dot
TargetFilename|endswith: .dotm
TargetFilename|endswith: .rtf
Stage 3: all of selection_excel_paths
or:
TargetFilename|contains: '\Office'
TargetFilename|contains: '\Program Files'
TargetFilename|contains: '\XLSTART'
TargetFilename|contains: '\Microsoft\Excel\XLSTART'
Stage 4: all of selection_excel_extension
or:
TargetFilename|endswith: .xls
TargetFilename|endswith: .xlsm
TargetFilename|endswith: .xlsx
TargetFilename|endswith: .xlt
TargetFilename|endswith: .xltm
Stage 5: not filter_main_office
or:
Image|endswith: '\EXCEL.exe'
Image|endswith: '\WINWORD.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|
TargetFilename | match |
|