frack113
36 lines
1000 B
YAML
36 lines
1000 B
YAML
title: Dump Office Macro Files from Commandline
|
|
id: b1c50487-1967-4315-a026-6491686d860e
|
|
status: experimental
|
|
description: A office file with macro is created from a commandline or a script
|
|
author: frack113
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md
|
|
- https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
|
|
date: 2022/01/23
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
detection:
|
|
selection_ext:
|
|
TargetFilename|endswith:
|
|
- .docm
|
|
- .dotm
|
|
- .xlsm
|
|
- .xltm
|
|
- .potm
|
|
- .pptm
|
|
- .pptx
|
|
selection_cmd:
|
|
- Image|endswith:
|
|
- \cmd.exe
|
|
- \powershell.exe
|
|
- ParentImage|endswith:
|
|
- \cmd.exe
|
|
- \powershell.exe
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566.001 |