rules/windows/process_creation/win_office_shell.yml

title: Microsoft Office Product Spawning Windows Shell
id: 438025f9-5856-4663-83f7-52f878a70a50
status: experimental
description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
tags:
    - attack.execution
    - attack.t1204          # an old one
    - attack.t1204.002
author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
date: 2018/04/06
modified: 2020/09/01
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\OUTLOOK.EXE'
            - '\MSACCESS.EXE'
            - '\EQNEDT32.EXE'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\scrcons.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\hh.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
            - '\mftrace.exe'
            - '\AppVLP.exe'
            - '\svchost.exe'  # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - unknown
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Microsoft Office Product Spawning Windows Shell`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 438025f9-5856-4663-83f7-52f878a70a50`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100`
			`- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`tags:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- attack.execution`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`- attack.t1204 # an old one`
			`- attack.t1204.002`
changes provided by FPT.EagleEye Team in 2021-01-09 10:38:20 +01:00			`author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`date: 2018/04/06`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`modified: 2020/09/01`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
Update win_office_shell.yml 2020-10-15 18:13:10 -03:00			`ParentImage\|endswith:`
			`- '\WINWORD.EXE'`
			`- '\EXCEL.EXE'`
			`- '\POWERPNT.exe'`
			`- '\MSPUB.exe'`
			`- '\VISIO.exe'`
			`- '\OUTLOOK.EXE'`
Merge branch 'oscd' 2021-03-02 22:48:55 +03:00			`- '\MSACCESS.EXE'`
			`- '\EQNEDT32.EXE'`
Update win_office_shell.yml 2020-10-15 18:13:10 -03:00			`Image\|endswith:`
			`- '\cmd.exe'`
			`- '\powershell.exe'`
			`- '\wscript.exe'`
			`- '\cscript.exe'`
			`- '\sh.exe'`
			`- '\bash.exe'`
			`- '\scrcons.exe'`
			`- '\schtasks.exe'`
			`- '\regsvr32.exe'`
			`- '\hh.exe'`
			`- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/`
			`- '\mshta.exe'`
			`- '\rundll32.exe'`
			`- '\msiexec.exe'`
			`- '\forfiles.exe'`
			`- '\scriptrunner.exe'`
			`- '\mftrace.exe'`
			`- '\AppVLP.exe'`
			`- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html`
Merge branch 'oscd' 2021-03-02 22:48:55 +03:00			`- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`fields:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: high`