Adversaries may use suspicious processes to create Office macro files to execute malicious code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware deployment and exfiltration activities early.
Detection Rule
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imFileEvent
| where ((TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\regsvr32.exe" or TargetFilePath endswith "\\rundll32.exe" or TargetFilePath endswith "\\wscript.exe") or (ActingProcessName endswith "\\cscript.exe" or ActingProcessName endswith "\\mshta.exe" or ActingProcessName endswith "\\regsvr32.exe" or ActingProcessName endswith "\\rundll32.exe" or ActingProcessName endswith "\\wscript.exe")) and (TargetFileName endswith ".docm" or TargetFileName endswith ".dotm" or TargetFileName endswith ".xlsm" or TargetFileName endswith ".xltm" or TargetFileName endswith ".potm" or TargetFileName endswith ".pptm")Scenario: A system administrator is using PowerShell to automate the generation of .dot files for a custom reporting tool.
Filter/Exclusion: Exclude processes with ProcessName containing powershell.exe and CommandLine containing -Command or -File with known admin scripts.
Scenario: A scheduled job runs Task Scheduler to generate a .dotm file for a legacy application that uses macro-enabled templates.
Filter/Exclusion: Exclude processes with ProcessName containing schtasks.exe or Task Scheduler and check for known legitimate job names in the task scheduler.
Scenario: A developer uses Visual Studio to debug a macro-enabled document, which temporarily creates a .dot file during testing.
Filter/Exclusion: Exclude processes with ProcessName containing devenv.exe or VisualStudio.exe and check for presence of development tools in the environment.
Scenario: A user opens a Microsoft Word document that contains embedded macros, and the system temporarily creates a .dot file during the document load.
Filter/Exclusion: Exclude processes with ProcessName containing WINWORD.EXE and check for known legitimate document operations using file system monitoring.
Scenario: A Windows Update or Group Policy process generates a temporary macro file during configuration changes.
Filter/Exclusion: Exclude processes with ProcessName containing wuauclt.exe, gpupdate.exe, or svchost.exe associated with system update services.