LoFP / false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.

Techniques

• T1566
• T1566.001

Sample rules

Office Document Executing Macro Code

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.

Detection logic

`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") 
| stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `office_document_executing_macro_code_filter`