Adversaries may create Office macro files to execute malicious code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access or lateral movement tactics early.
Detection Rule
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
- id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: selection
falsepositives:
- Very common in environments that rely heavily on macro documents
level: low
imFileEvent
| where TargetFileName endswith ".docm" or TargetFileName endswith ".dotm" or TargetFileName endswith ".xlsm" or TargetFileName endswith ".xltm" or TargetFileName endswith ".potm" or TargetFileName endswith ".pptm"Scenario: System administrator deploys a new Microsoft Word template with embedded macros for document automation.
Filter/Exclusion: Exclude files created by the Microsoft Office Deployment Tool or files with a .dotm extension used for templates.
Scenario: A scheduled job runs a PowerShell script that generates a .xlsm file for reporting purposes.
Filter/Exclusion: Exclude files created by scheduled tasks with the Task Scheduler or files with a specific naming pattern used by the reporting tool.
Scenario: An IT technician uses Microsoft Word to create a macro-enabled document for internal training materials.
Filter/Exclusion: Exclude files created by users with the IT or Admin group membership, or files with a specific folder path like \\fileserver\training\.
Scenario: A DevOps pipeline deploys a configuration file with macros for automation using Azure DevOps and PowerShell.
Filter/Exclusion: Exclude files created by the Azure DevOps agent or files with a specific file extension like .xlsm generated by CI/CD pipelines.
Scenario: A user runs Microsoft Excel to create a macro-enabled workbook for data analysis using Power BI integration.
Filter/Exclusion: Exclude files created by users with the Power BI application installed or files with a specific file path related to Power BI data sources.