LoFP / false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.

Techniques

• T1566
• T1566.001

Sample rules

Office Document Executing Macro Code

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files.

Detection logic

`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") 
| stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `office_document_executing_macro_code_filter`