Techniques
Sample rules
Office Document Executing Macro Code
- source: splunk
- technicques:
- T1566
- T1566.001
Description
This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files.
Detection logic
`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL")
| stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `office_document_executing_macro_code_filter`