Bazacall adversaries leverage malicious Excel macro files to execute payloads and establish initial access. SOC teams should proactively hunt for unusual macro execution activity in Azure Sentinel to detect and mitigate potential compromise early.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName =~ "excel.exe"
and ProcessCommandLine has_all('mkdir', '&& copy', 'certutil.exe')
id: fa2c1c3a-18f8-4c83-8501-ea110873f99f
name: Excel Macro Execution
description: |
Bazacall uses malicious macro-enabled Excel documents to execute their payload.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where InitiatingProcessFileName =~ "excel.exe"
and ProcessCommandLine has_all('mkdir', '&& copy', 'certutil.exe')
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Excel Macro for Report Generation
Description: A legitimate scheduled job runs a macro-enabled Excel file to generate daily reports using Microsoft Excel.
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with the Task Scheduler service or by the schtasks.exe command.
Scenario: Admin Uses Excel Macro for Data Automation
Description: An administrator uses a macro-enabled Excel file to automate data import/export tasks between systems.
Filter/Exclusion: Exclude processes running under the Administrators group or with the runas command and a known trusted Excel macro file path.
Scenario: Excel Macro for Legacy System Integration
Description: A macro-enabled Excel file is used to interface with an older legacy system via COM automation.
Filter/Exclusion: Exclude processes that interact with known legacy systems (e.g., LegacySystemIntegration.exe) or use COM objects like Excel.Application.
Scenario: Excel Macro for Data Validation and Cleaning
Description: A macro is used to clean and validate data in an Excel spreadsheet before exporting to a database.
Filter/Exclusion: Exclude processes that run from a known trusted directory (e.g., C:\Tools\DataValidation) or use a specific macro name like DataCleaner.
Scenario: Excel Macro for User-Driven Data Analysis
Description: A user runs a macro-enabled Excel file to perform custom data analysis using a trusted internal tool.
Filter/Exclusion: Exclude processes initiated by user interaction (e.g., explorer.exe or cmd.exe) and filter by a known internal tool name (e.g., InternalAnalysisTool.xlsm).