Adversaries may create files with uncommon extensions in Office startup folders to execute malicious payloads undetected. SOC teams should proactively hunt for this behavior as it indicates potential persistence mechanisms commonly used in advanced threats.
Detection Rule
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
imFileEvent
| where (((TargetFileName contains "\\Microsoft\\Word\\STARTUP" or (TargetFileName contains "\\Office" and TargetFileName contains "\\Program Files" and TargetFileName contains "\\STARTUP")) and (not((TargetFileName endswith ".docb" or TargetFileName endswith ".docm" or TargetFileName endswith ".docx" or TargetFileName endswith ".dotm" or TargetFileName endswith ".mdb" or TargetFileName endswith ".mdw" or TargetFileName endswith ".pdf" or TargetFileName endswith ".wll" or TargetFileName endswith ".wwl")))) or ((TargetFileName contains "\\Microsoft\\Excel\\XLSTART" or (TargetFileName contains "\\Office" and TargetFileName contains "\\Program Files" and TargetFileName contains "\\XLSTART")) and (not((TargetFileName endswith ".xll" or TargetFileName endswith ".xls" or TargetFileName endswith ".xlsm" or TargetFileName endswith ".xlsx" or TargetFileName endswith ".xlt" or TargetFileName endswith ".xltm" or TargetFileName endswith ".xlw"))))) and (not(((TargetFilePath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and TargetFilePath endswith "\\OfficeClickToRun.exe") or ((TargetFilePath contains ":\\Program Files\\Microsoft Office\\" or TargetFilePath contains ":\\Program Files (x86)\\Microsoft Office\\") and (TargetFilePath endswith "\\winword.exe" or TargetFilePath endswith "\\excel.exe")))))Scenario: A system administrator creates a custom .reg file to configure Office settings during a routine configuration task.
Filter/Exclusion: Exclude files with the .reg extension created by the regedit tool or by users with the Administrators group membership.
Scenario: A scheduled job runs a script that generates a temporary .tmp file in the Office startup folder to store intermediate data.
Filter/Exclusion: Exclude files with the .tmp extension created by processes associated with the Task Scheduler or by scripts with known names like setup_script.ps1.
Scenario: A user installs a legitimate third-party add-in (e.g., Kutools for Excel) that places a .dll file in the Office startup folder.
Filter/Exclusion: Exclude files with the .dll extension that are signed by known vendors or located in subfolders like Kutools for Excel.
Scenario: A developer tests a new macro or add-in by placing a .xlam file in the Office startup folder.
Filter/Exclusion: Exclude files with the .xlam extension created by development tools like Visual Studio or by users with the Power Users group membership.
Scenario: A backup or synchronization tool (e.g., OneDrive, SyncToy) creates a .sync file in the Office startup folder during a sync operation.
Filter/Exclusion: Exclude files with the .sync extension that are created by processes associated with OneDrive or SyncToy.