1type: trigger
2name: sigmahq/proc_creation_win_renamed_office_processes
3description: |
4 Detects the execution of a renamed office binary
5filter: |
6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.OriginalFileName in ['Excel.exe', 'MSACCESS.EXE', 'MSPUB.EXE', 'OneNote.exe', 'OneNoteM.exe', 'OUTLOOK.EXE', 'POWERPNT.EXE', 'WinWord.exe'] || evt.Parsed.Description in ['Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft Outlook', 'Microsoft PowerPoint', 'Microsoft Publisher', 'Microsoft Word', 'Sent to OneNote Tool']) && not (evt.Parsed.Image endsWith '\\EXCEL.exe' || evt.Parsed.Image endsWith '\\excelcnv.exe' || evt.Parsed.Image endsWith '\\MSACCESS.exe' || evt.Parsed.Image endsWith '\\MSPUB.EXE' || evt.Parsed.Image endsWith '\\ONENOTE.EXE' || evt.Parsed.Image endsWith '\\ONENOTEM.EXE' || evt.Parsed.Image endsWith '\\OUTLOOK.EXE' || evt.Parsed.Image endsWith '\\POWERPNT.EXE' || evt.Parsed.Image endsWith '\\WINWORD.exe'))
7blackhole: 2m
8
9labels:
10 service: windows
11 confidence: 1
12 spoofable: 0
13 classification:
14
15 label: "Renamed Office Binary Execution"
16 behavior : "windows:audit"
17 remediation: false
18
19scope:
20 type: ParentProcessId
21 expression: evt.Parsed.ParentProcessId
22
23
