diff --git a/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml new file mode 100644 index 000000000..9db167e2f --- /dev/null +++ b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml @@ -0,0 +1,35 @@ +name: Microsoft Office file execution via script interpreter +id: bf3ea547-1470-4bcc-9945-3b495d962c2c +version: 1.0.0 +description: | + Identifies the execution via Windows script interpreter of the executable file written + by the Microsoft Office process. +labels: + tactic.id: TA0001 + tactic.name: Initial Access + tactic.ref: https://attack.mitre.org/tactics/TA0001/ + technique.id: T1566 + technique.name: Phishing + technique.ref: https://attack.mitre.org/techniques/T1566/ + subtechnique.id: T1566.001 + subtechnique.name: Spearphishing Attachment + subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ + +condition: > + sequence + maxspan 2m + |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true)| by file.path + |spawn_process and ps.name iin script_interpreters and ps.child.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) + | by ps.child.exe +action: + - name: kill + +output: > + Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via script interpreter %2.ps.exe +severity: high + +min-engine-version: 2.4.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index 0d0cb8a77..5bb9d4768 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -323,7 +323,7 @@ gaining persistence on the compromised endpoint. - macro: script_interpreters - list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe"] + list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe", "cmd.exe"] - macro: startup_shell_folder_registry_keys list: [