Uncommon File Created In Office Startup Folder

Severity: high
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the creation of a file with an uncommon extension in an Office application startup folder

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1587.001` Develop Capabilities: Malware

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection_word_paths`

or:
TargetFilename|contains: '\Office'
TargetFilename|contains: '\Program Files'
TargetFilename|contains: '\STARTUP'
TargetFilename|contains: '\Microsoft\Word\STARTUP'

Stage 2: `not filter_exclude_word_ext`

or:
TargetFilename|endswith: .docb
TargetFilename|endswith: .docm
TargetFilename|endswith: .docx
TargetFilename|endswith: .dotm
TargetFilename|endswith: .mdb
TargetFilename|endswith: .mdw
TargetFilename|endswith: .pdf
TargetFilename|endswith: .wll
TargetFilename|endswith: .wwl

Stage 3: `selection_excel_paths`

or:
TargetFilename|contains: '\Office'
TargetFilename|contains: '\Program Files'
TargetFilename|contains: '\XLSTART'
TargetFilename|contains: '\Microsoft\Excel\XLSTART'

Stage 4: `not filter_exclude_excel_ext`

or:
TargetFilename|endswith: .xll
TargetFilename|endswith: .xls
TargetFilename|endswith: .xlsm
TargetFilename|endswith: .xlsx
TargetFilename|endswith: .xlt
TargetFilename|endswith: .xltm
TargetFilename|endswith: .xlw

Stage 5: `not 1 of filter_main_*`

or:
or:
Image|endswith: '\excel.exe'
Image|endswith: '\winword.exe'
or:
Image|contains: ':\Program Files (x86)\Microsoft Office\'
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OfficeClickToRun.exe'
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\OfficeClickToRun.exe` corpus 10 (sigma 10) `\excel.exe` corpus 16 (sigma 16) `\winword.exe` corpus 17 (sigma 17)
`Image`	match	`:\Program Files (x86)\Microsoft Office\` corpus 2 (sigma 2) `:\Program Files\Common Files\Microsoft Shared\ClickToRun\` corpus 2 (sigma 2) `:\Program Files\Microsoft Office\` corpus 4 (sigma 4)
`TargetFilename`	ends_with	`.docb` `.docm` corpus 5 (sigma 5) `.docx` corpus 2 (sigma 2) `.dotm` corpus 5 (sigma 5) `.mdb` `.mdw` `.pdf` corpus 2 (sigma 2) `.wll` corpus 2 (sigma 2) `.wwl` `.xll` corpus 2 (sigma 2) `.xls` corpus 2 (sigma 2) `.xlsm` corpus 5 (sigma 5) `.xlsx` corpus 2 (sigma 2) `.xlt` corpus 2 (sigma 2) `.xltm` corpus 5 (sigma 5) `.xlw`
`TargetFilename`	match	`\Microsoft\Excel\XLSTART` corpus 2 (sigma 2) `\Microsoft\Word\STARTUP` corpus 2 (sigma 2) `\Office` corpus 2 (sigma 2) `\Program Files` corpus 2 (sigma 2) `\STARTUP` corpus 2 (sigma 2) `\XLSTART` corpus 2 (sigma 2)

Uncommon File Created In Office Startup Folder

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_word_paths

Stage 2: not filter_exclude_word_ext

Stage 3: selection_excel_paths