detection.wiki

Detection rules › Sigma

Suspicious Microsoft Office Child Process

Severity
high
Author
Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
Source
upstream

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1047 Windows Management Instrumentation, T1204.002 User Execution: Malicious File
Defense EvasionT1218.010 System Binary Proxy Execution: Regsvr32

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection_parent

or:
ParentImage|endswith: '\EQNEDT32.EXE'
ParentImage|endswith: '\EXCEL.EXE'
ParentImage|endswith: '\MSACCESS.EXE'
ParentImage|endswith: '\MSPUB.exe'
ParentImage|endswith: '\ONENOTE.EXE'
ParentImage|endswith: '\POWERPNT.exe'
ParentImage|endswith: '\VISIO.exe'
ParentImage|endswith: '\WINWORD.EXE'
ParentImage|endswith: '\wordpad.exe'
ParentImage|endswith: '\wordview.exe'

Stage 2: 1 of selection_child_processes

or:
Image|endswith: '\AppVLP.exe'
Image|endswith: '\Microsoft.Workflow.Compiler.exe'
Image|endswith: '\bash.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certoc.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cmstp.exe'
Image|endswith: '\control.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\curl.exe'
Image|endswith: '\forfiles.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\ieexec.exe'
Image|endswith: '\installutil.exe'
Image|endswith: '\javaw.exe'
Image|endswith: '\mftrace.exe'
Image|endswith: '\msbuild.exe'
Image|endswith: '\msdt.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\msidb.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\msxsl.exe'
Image|endswith: '\odbcconf.exe'
Image|endswith: '\pcalua.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regasm.exe'
Image|endswith: '\regsvcs.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\scrcons.exe'
Image|endswith: '\scriptrunner.exe'
Image|endswith: '\sh.exe'
Image|endswith: '\svchost.exe'
Image|endswith: '\verclsid.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\workfolders.exe'
Image|endswith: '\wscript.exe'
OriginalFileName: CMSTP.EXE
OriginalFileName: CertOC.exe
OriginalFileName: CertUtil.exe
OriginalFileName: Cmd.Exe
OriginalFileName: HH.exe
OriginalFileName: IEExec.exe
OriginalFileName: InstallUtil.exe
OriginalFileName: MSHTA.EXE
OriginalFileName: Microsoft.Workflow.Compiler.exe
OriginalFileName: Msxsl.exe
OriginalFileName: PowerShell.EXE
OriginalFileName: REGSVR32.exe
OriginalFileName: RUNDLL32.exe
OriginalFileName: RegAsm.exe
OriginalFileName: RegSvcs.exe
OriginalFileName: ScriptRunner.exe
OriginalFileName: WorkFolders.exe
OriginalFileName: bitsadmin.exe
OriginalFileName: cscript.exe
OriginalFileName: curl.exe
OriginalFileName: javaw.exe
OriginalFileName: msdt.exe
OriginalFileName: msiexec.exe
OriginalFileName: odbcconf.exe
OriginalFileName: pcalua.exe
OriginalFileName: schtasks.exe
OriginalFileName: wmic.exe
OriginalFileName: wscript.exe

Stage 3: 1 of selection_child_susp_paths

or:
Image|contains: '\AppData\'
Image|contains: '\ProgramData\'
Image|contains: '\Users\Public\'
Image|contains: '\Windows\System32\Tasks\'
Image|contains: '\Windows\Tasks\'
Image|contains: '\Windows\Temp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \AppVLP.exe corpus 6 (sigma 6)
  • \Microsoft.Workflow.Compiler.exe corpus 2 (sigma 2)
  • \bash.exe corpus 17 (sigma 17)
  • \bitsadmin.exe corpus 23 (sigma 23)
  • \certoc.exe corpus 10 (sigma 10)
  • \certutil.exe corpus 34 (sigma 34)
  • \cmd.exe corpus 92 (sigma 92)
  • \cmstp.exe corpus 9 (sigma 9)
  • \control.exe corpus 3 (sigma 3)
  • \cscript.exe corpus 64 (sigma 64)
  • \curl.exe corpus 19 (sigma 19)
  • \forfiles.exe corpus 11 (sigma 11)
  • \hh.exe corpus 14 (sigma 14)
  • \ieexec.exe corpus 2 (sigma 2)
  • \installutil.exe corpus 5 (sigma 5)
  • \javaw.exe corpus 2 (sigma 2)
  • \mftrace.exe corpus 6 (sigma 6)
  • \msbuild.exe corpus 7 (sigma 7)
  • \msdt.exe corpus 10 (sigma 10)
  • \mshta.exe corpus 57 (sigma 57)
  • \msidb.exe corpus 2 (sigma 2)
  • \msiexec.exe corpus 21 (sigma 21)
  • \msxsl.exe corpus 7 (sigma 7)
  • \odbcconf.exe corpus 11 (sigma 11)
  • \pcalua.exe corpus 3 (sigma 3)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \regasm.exe corpus 4 (sigma 4)
  • \regsvcs.exe corpus 3 (sigma 3)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \rundll32.exe corpus 76 (sigma 76)
  • \schtasks.exe corpus 45 (sigma 45)
  • \scrcons.exe corpus 8 (sigma 8)
  • \scriptrunner.exe corpus 8 (sigma 8)
  • \sh.exe corpus 13 (sigma 13)
  • \svchost.exe corpus 20 (sigma 20)
  • \verclsid.exe corpus 4 (sigma 4)
  • \wmic.exe corpus 37 (sigma 37)
  • \workfolders.exe corpus 2 (sigma 2)
  • \wscript.exe corpus 64 (sigma 64)
Imagematch
  • \AppData\ corpus 9 (sigma 9)
  • \ProgramData\ corpus 2 (sigma 2)
  • \Users\Public\ corpus 8 (sigma 8)
  • \Windows\System32\Tasks\ corpus 4 (sigma 4)
  • \Windows\Tasks\ corpus 4 (sigma 4)
  • \Windows\Temp\ corpus 7 (sigma 7)
OriginalFileNameeq
  • CMSTP.EXE corpus 4 (sigma 4)
  • CertOC.exe corpus 6 (sigma 6)
  • CertUtil.exe corpus 13 (sigma 13)
  • Cmd.Exe corpus 32 (sigma 30, splunk 2)
  • HH.exe corpus 5 (sigma 5)
  • IEExec.exe corpus 3 (sigma 3)
  • InstallUtil.exe corpus 5 (sigma 5)
  • MSHTA.EXE corpus 7 (sigma 7)
  • Microsoft.Workflow.Compiler.exe corpus 2 (sigma 2)
  • Msxsl.exe corpus 2 (sigma 2)
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • REGSVR32.exe corpus 2 (sigma 2)
  • RUNDLL32.exe corpus 3 (sigma 3)
  • RegAsm.exe corpus 6 (sigma 6)
  • RegSvcs.exe corpus 5 (sigma 5)
  • ScriptRunner.exe corpus 3 (sigma 3)
  • WorkFolders.exe corpus 2 (sigma 2)
  • bitsadmin.exe corpus 9 (sigma 9)
  • cscript.exe corpus 15 (sigma 15)
  • curl.exe corpus 11 (sigma 11)
  • javaw.exe corpus 2 (sigma 2)
  • msdt.exe corpus 6 (sigma 6)
  • msiexec.exe corpus 5 (sigma 5)
  • odbcconf.exe corpus 9 (sigma 9)
  • pcalua.exe corpus 2 (sigma 2)
  • schtasks.exe corpus 14 (sigma 14)
  • wmic.exe corpus 33 (sigma 33)
  • wscript.exe corpus 15 (sigma 15)
ParentImageends_with
  • \EQNEDT32.EXE corpus 2 (sigma 2)
  • \EXCEL.EXE corpus 3 (sigma 3)
  • \MSACCESS.EXE corpus 2 (sigma 2)
  • \MSPUB.exe corpus 3 (sigma 3)
  • \ONENOTE.EXE corpus 2 (sigma 2)
  • \POWERPNT.exe corpus 3 (sigma 3)
  • \VISIO.exe corpus 3 (sigma 3)
  • \WINWORD.EXE corpus 3 (sigma 3)
  • \wordpad.exe corpus 2 (sigma 2)
  • \wordview.exe corpus 2 (sigma 2)