From 251d4fbc343b55a2c453f99a6d658a08c2cf1a00 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 21 Apr 2025 21:24:38 +0200
Subject: [PATCH 1/2] chore(rules): Add cmd.exe to script interpreters list

---
 rules/macros/macros.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index 0d0cb8a77..5bb9d4768 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -323,7 +323,7 @@
     gaining persistence on the compromised endpoint.
 
 - macro: script_interpreters
-  list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe"]
+  list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe", "cmd.exe"]
 
 - macro: startup_shell_folder_registry_keys
   list: [

From a5fd3ddbb0cc1bf41d8261034d9f44bb912674b8 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 29 Apr 2025 21:58:54 +0200
Subject: [PATCH 2/2] feat(rules): Microsoft Office file execution via script
 interpreter

Identifies the execution via Windows script interpreter of the executable file written by the Microsoft Office process.
---
 ..._file_execution_via_script_interpreter.yml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml

diff --git a/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml
new file mode 100644
index 000000000..9db167e2f
--- /dev/null
+++ b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml
@@ -0,0 +1,35 @@
+name: Microsoft Office file execution via script interpreter
+id: bf3ea547-1470-4bcc-9945-3b495d962c2c
+version: 1.0.0
+description: |
+  Identifies the execution via Windows script interpreter of the executable file written 
+  by the Microsoft Office process.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true)| by file.path
+    |spawn_process and ps.name iin script_interpreters and ps.child.exe not imatches 
+      (
+        '?:\\Program Files\\*.exe',
+        '?:\\Program Files (x86)\\*.exe'
+      )
+    | by ps.child.exe
+action:
+  - name: kill
+
+output: >
+  Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via script interpreter %2.ps.exe
+severity: high
+
+min-engine-version: 2.4.0