← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Binary In User Directory Spawned From Office Application

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1204.002
Rule sourcerules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml
title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
    - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
    - attack.g0046
    - car.2013-05-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.exe'
            - '\EQNEDT32.exe'
            # - '\OUTLOOK.EXE' too many FPs
        Image|startswith: 'C:\users\'
        Image|endswith: '.exe'
    filter:
        Image|endswith: '\Teams.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high