sigmaDRL-1.1from SigmaHQ/sigma
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
Quality
84
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
- id: 0c79148b-118e-472b-bdb7-9b57b444cc19
type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
- attack.defense-evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_http:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high