File With Uncommon Extension Created By An Office Application

Severity: high
Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the creation of files with an executable or script extension by an Office application.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1204.002` User Execution: Malicious File

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `all of selection1`

or:
Image|endswith: '\excel.exe'
Image|endswith: '\msaccess.exe'
Image|endswith: '\mspub.exe'
Image|endswith: '\powerpnt.exe'
Image|endswith: '\visio.exe'
Image|endswith: '\winword.exe'

Stage 2: `all of selection2`

or:
TargetFilename|endswith: .bat
TargetFilename|endswith: .cmd
TargetFilename|endswith: .com
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .ocx
TargetFilename|endswith: .proj
TargetFilename|endswith: .ps1
TargetFilename|endswith: .scf
TargetFilename|endswith: .scr
TargetFilename|endswith: .sys
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|endswith: .wsf
TargetFilename|endswith: .wsh

Stage 3: `not 1 of filter_main_localassembly`

TargetFilename|endswith: .dll
TargetFilename|contains: '\AppData\Local\assembly\tmp\'

Stage 4: `not 1 of filter_optional_*`

or:
or:
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
TargetFilename|endswith: .com
TargetFilename|contains: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Microsoft\Office\'
TargetFilename|contains: '\BackstageInAppNavCache\'
TargetFilename|endswith: .com
TargetFilename|contains: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Microsoft\Office\'
TargetFilename|contains: '\WebServiceCache\AllUsers'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\excel.exe` corpus 16 (sigma 16) `\msaccess.exe` corpus 2 (sigma 2) `\mspub.exe` corpus 7 (sigma 7) `\powerpnt.exe` corpus 13 (sigma 13) `\visio.exe` corpus 3 (sigma 3) `\winword.exe` corpus 17 (sigma 17)
`TargetFilename`	ends_with	`.bat` corpus 15 (sigma 15) `.cmd` corpus 8 (sigma 8) `.com` corpus 3 (sigma 3) `.dll` corpus 21 (sigma 21) `.exe` corpus 18 (sigma 18) `.hta` corpus 12 (sigma 12) `.ocx` corpus 3 (sigma 3) `.proj` `.ps1` corpus 15 (sigma 15) `.scf` corpus 2 (sigma 2) `.scr` corpus 8 (sigma 8) `.sys` corpus 6 (sigma 6) `.vbe` corpus 13 (sigma 13) `.vbs` corpus 16 (sigma 16) `.wsf` corpus 6 (sigma 6) `.wsh` corpus 2 (sigma 2)
`TargetFilename`	match	`C:\Users\` `\AppData\Local\Microsoft\Office\` `\AppData\Local\Temp\webexdelta\` `\AppData\Local\assembly\tmp\` `\BackstageInAppNavCache\` `\WebServiceCache\AllUsers`

File With Uncommon Extension Created By An Office Application

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection1

Stage 2: all of selection2

Stage 3: not 1 of filter_main_localassembly

Stage 4: not 1 of filter_optional_*

Indicators

Stage 1: `all of selection1`

Stage 2: `all of selection2`

Stage 3: `not 1 of filter_main_localassembly`

Stage 4: `not 1 of filter_optional_*`