rabbitstack · rabbitstack · Apr 29, 2025 · Apr 21, 2025 · Apr 29, 2025
diff --git a/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml
@@ -0,0 +1,35 @@
+name: Microsoft Office file execution via script interpreter
+id: bf3ea547-1470-4bcc-9945-3b495d962c2c
+version: 1.0.0
+description: |
+  Identifies the execution via Windows script interpreter of the executable file written 
+  by the Microsoft Office process.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true)| by file.path
+    |spawn_process and ps.name iin script_interpreters and ps.child.exe not imatches 
+      (
+        '?:\\Program Files\\*.exe',
+        '?:\\Program Files (x86)\\*.exe'
+      )
+    | by ps.child.exe
+action:
+  - name: kill
+
+output: >
+  Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via script interpreter %2.ps.exe
+severity: high
+
+min-engine-version: 2.4.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -323,7 +323,7 @@
     gaining persistence on the compromised endpoint.
 
 - macro: script_interpreters
-  list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe"]
+  list: ["powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe", "cmd.exe"]
 
 - macro: startup_shell_folder_registry_keys
   list: [