Techniques
Sample rules
Uncommon File Created In Office Startup Folder
- source: sigma
- technicques:
- t1587
- t1587.001
Description
Detects the creation of a file with an uncommon extension in an Office application startup folder
Detection logic
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths
and not filter_exclude_excel_ext)) and not 1 of filter_main_*
filter_exclude_excel_ext:
TargetFilename|endswith:
- .xll
- .xls
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xlw
filter_exclude_word_ext:
TargetFilename|endswith:
- .docb
- .docm
- .docx
- .dotm
- .mdb
- .mdw
- .pdf
- .wll
- .wwl
filter_main_office_apps:
Image|contains:
- :\Program Files\Microsoft Office\
- :\Program Files (x86)\Microsoft Office\
Image|endswith:
- \winword.exe
- \excel.exe
filter_main_office_click_to_run:
Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
Image|endswith: \OfficeClickToRun.exe
selection_excel_paths:
- TargetFilename|contains: \Microsoft\Excel\XLSTART
- TargetFilename|contains|all:
- \Office
- \Program Files
- \XLSTART
selection_word_paths:
- TargetFilename|contains: \Microsoft\Word\STARTUP
- TargetFilename|contains|all:
- \Office
- \Program Files
- \STARTUP