Techniques
Sample rules
Potential Persistence Via Microsoft Office Startup Folder
- source: sigma
- technicques:
- t1137
Description
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Detection logic
condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
filter_main_office:
Image|endswith:
- \WINWORD.exe
- \EXCEL.exe
selection_excel_extension:
TargetFilename|endswith:
- .xls
- .xlsm
- .xlsx
- .xlt
- .xltm
selection_excel_paths:
- TargetFilename|contains: \Microsoft\Excel\XLSTART
- TargetFilename|contains|all:
- \Office
- \Program Files
- \XLSTART
selection_word_extension:
TargetFilename|endswith:
- .doc
- .docm
- .docx
- .dot
- .dotm
- .rtf
selection_word_paths:
- TargetFilename|contains: \Microsoft\Word\STARTUP
- TargetFilename|contains|all:
- \Office
- \Program Files
- \STARTUP