ffcommax · November 8, 2021 13:20
diff --git a/Microsoft Office Product Spawning Windows Shell.yml b/Microsoft Office Product Spawning Windows Shell.yml
 title: Microsoft Office Product Spawning Windows Shell
 id: 438025f9-5856-4663-83f7-52f878a70a50
 status: experimental
 description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
 references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 tags:
    - attack.execution
    - attack.t1204          # an old one
    - attack.t1204.002
 author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
 date: 2018/04/06
 modified: 2020/09/01
 logsource:
    category: process_creation
    product: windows
 detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\OUTLOOK.EXE'
            - '\MSACCESS.EXE'
            - '\EQNEDT32.EXE'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\scrcons.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\hh.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
            - '\mftrace.exe'
            - '\AppVLP.exe'
            - '\svchost.exe'  # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
    condition: selection
 fields:
    - CommandLine
    - ParentCommandLine
 falsepositives:
    - unknown
 level: high
	title: Microsoft Office Product Spawning Windows Shell
	id: 438025f9-5856-4663-83f7-52f878a70a50
	status: experimental
	description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
	references:
	- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
	- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
	tags:
	- attack.execution
	- attack.t1204 # an old one
	- attack.t1204.002
	author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
	date: 2018/04/06
	modified: 2020/09/01
	logsource:
	category: process_creation
	product: windows
	detection:
	selection:
	ParentImage\|endswith:
	- '\WINWORD.EXE'
	- '\EXCEL.EXE'
	- '\POWERPNT.exe'
	- '\MSPUB.exe'
	- '\VISIO.exe'
	- '\OUTLOOK.EXE'
	- '\MSACCESS.EXE'
	- '\EQNEDT32.EXE'
	Image\|endswith:
	- '\cmd.exe'
	- '\powershell.exe'
	- '\wscript.exe'
	- '\cscript.exe'
	- '\sh.exe'
	- '\bash.exe'
	- '\scrcons.exe'
	- '\schtasks.exe'
	- '\regsvr32.exe'
	- '\hh.exe'
	- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
	- '\mshta.exe'
	- '\rundll32.exe'
	- '\msiexec.exe'
	- '\forfiles.exe'
	- '\scriptrunner.exe'
	- '\mftrace.exe'
	- '\AppVLP.exe'
	- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
	- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
	condition: selection
	fields:
	- CommandLine
	- ParentCommandLine
	falsepositives:
	- unknown
	level: high