File With Uncommon Extension Created By An Office Application

Hunt Hypothesis

Adversaries may use Office applications to create files with uncommon extensions to exfiltrate data or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or data theft activities.

Detection Rule

Sigma (Original)

title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
    - attack.t1204.002
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    # Note: Please add more file extensions to the logic of your choice.
    selection1:
        Image|endswith:
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    selection2:
        TargetFilename|endswith:
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ocx'
            - '.proj'
            - '.ps1'
            - '.scf'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    filter_main_localassembly:
        TargetFilename|contains: '\AppData\Local\assembly\tmp\'
        TargetFilename|endswith: '.dll'
    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\WebServiceCache\AllUsers'
        TargetFilename|endswith: '.com'
    filter_optional_webex:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\[email protected]
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\BackstageInAppNavCache\'
        TargetFilename|endswith: '.com'
    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imFileEvent
| where ((TargetFilePath endswith "\\excel.exe" or TargetFilePath endswith "\\msaccess.exe" or TargetFilePath endswith "\\mspub.exe" or TargetFilePath endswith "\\powerpnt.exe" or TargetFilePath endswith "\\visio.exe" or TargetFilePath endswith "\\winword.exe") and (TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".com" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".ocx" or TargetFileName endswith ".proj" or TargetFileName endswith ".ps1" or TargetFileName endswith ".scf" or TargetFileName endswith ".scr" or TargetFileName endswith ".sys" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".wsf" or TargetFileName endswith ".wsh")) and (not((TargetFileName contains "\\AppData\\Local\\assembly\\tmp\\" and TargetFileName endswith ".dll"))) and (not((((TargetFileName contains "C:\\Users\\" and TargetFileName contains "\\AppData\\Local\\Microsoft\\Office\\" and TargetFileName contains "\\WebServiceCache\\AllUsers") and TargetFileName endswith ".com") or (TargetFilePath endswith "\\winword.exe" and TargetFileName contains "\\AppData\\Local\\Temp\\webexdelta\\" and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")) or ((TargetFileName contains "C:\\Users\\" and TargetFileName contains "\\AppData\\Local\\Microsoft\\Office\\" and TargetFileName contains "\\BackstageInAppNavCache\\") and TargetFileName endswith ".com"))))

False Positive Guidance

• Scenario: A system administrator creates a .vbs file to automate a scheduled task using Windows Task Scheduler.
  Filter/Exclusion: Exclude files created by the Task Scheduler service (Task Scheduler or schtasks.exe).

• Scenario: A developer uses Microsoft Excel to generate a .csv file with a custom extension (e.g., .csvx) for internal use.
  Filter/Exclusion: Exclude files with extensions that are known to be used in development or data processing (e.g., .csv, .xlsx, .txt).

• Scenario: A PowerShell script is run via PowerShell ISE or PowerShell Studio to generate a temporary .ps1 file for testing.
  Filter/Exclusion: Exclude files created by PowerShell processes (powershell.exe) or specific tools like PowerShell ISE.

• Scenario: A Microsoft Word document is saved with a .docm extension (macro-enabled) as part of a standard document workflow.
  Filter/Exclusion: Exclude files with extensions commonly used by Office applications (e.g., .docx, .docm, .xlsb, .xlsm).

• Scenario: A scheduled backup job using Veeam Backup & Replication creates a temporary .vbs script to execute a backup task.
  Filter/Exclusion: Exclude files created by Veeam Backup & Replication or other backup tools with known scripting usage.

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1204.002