8000 Add rule: Office Macro Phishing Initial Access detection by arjun-tarakesh · Pull Request #5411 · SigmaHQ/sigma · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add rule: Office Macro Phishing Initial Access detection #5411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add rule: Office Macro Phishing Initial Access detection #5411

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9946962
Add Sigma rule for macro-based phishing initial access
arjun-tarakesh May 10, 2025
1cd43a6
Update proc_creation_win_macro_phishing_initial_access.yml
arjun-tarakesh May 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions rules/windows/process_creation/proc_creation_win_macro_phishing_initial_access.yml
View file Delete file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
title: Suspicious Office Macro Execution via CLI Arguments
id: 1b94f66b-46fc-4262-8937-74cfc8d2c8da
status: experimental
description: Detects Microsoft Office applications (Word, Excel, PowerPoint, etc.) started with suspicious command-line arguments such as /m, .dotm, or macro-related keywords like AutoOpen/AutoClose.
These may indicate auto-executing Office macros used in phishing attacks to gain initial access.

author: arjun-tarakesh
date: 2025/05/11
references:
- 'https://attack.mitre.org/techniques/T1566/001/'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- 'https://attack.mitre.org/techniques/T1566/001/'
- https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6


tags:
- attack.execution
- attack.t1566.001
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\MSPUB.EXE'
- '\ONENOTE.EXE'
- '\MSACCESS.EXE'
- '\VISIO.EXE'

selection_cmdline:
CommandLine|contains:
- '/m'
- '/t'
- '/n'
- '.dotm'
- 'AutoOpen'
- 'AutoClose'
- '/q'
- '/quiet'
- '/h'
Comment on lines +32 to +40
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @arjun-tarakesh

This notation means an or. So this rule is saying as long as any of the image above have one of these flag, it should trigger.

Not all of these flags are relevant to what you are trying to detect. I suggest you keep only those that are macro related and take care of the potential FP that might occur.

I suggest you give this a read https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6


condition: selection_parent and selection_cmdline

Comment on lines +42 to +43
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You do not need to leave spaces between sections. Please make sure of that for the rest of the rule.

Suggested change
condition: selection_parent and selection_cmdline
condition: selection_parent and selection_cmdline

falsepositives:
- Legitimate use of Office CLI options in enterprise scripting environments or automation
level: medium
0