sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Add rule: Office Macro Phishing Initial Access detection

Open arjun-tarakesh opened this issue 8 months ago • 2 comments

Summary of the Pull Request

Added a Sigma rule that detects Microsoft Office applications (such as Word, Excel, PowerPoint) launched with suspicious command-line arguments. These arguments (e.g., /m, .dotm, AutoOpen) are frequently associated with auto-executing macros often leveraged in phishing campaigns for initial access. This detection aligns with MITRE ATT&CK technique T1566.001.

Changelog

new: Suspicious Office Macro Execution via CLI Arguments

Example Log Event

{
  "UtcTime": "2025-05-11T10:42:00.000Z",
  "EventID": 1,
  "Image": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE",
  "CommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\" /m AutoOpen /q",
  "ParentImage": "C:\\Windows\\explorer.exe",
  "OriginalFileName": "WINWORD.EXE",
  "User": "CORP\\target.user",
  "ProcessId": 5432,
  "ParentProcessId": 567,
  "LogonId": "0x3e7",
  "IntegrityLevel": "Medium",
  "Hashes": "SHA256=abcdef123456...",
  "Company": "Microsoft Corporation",
  "Description": "Microsoft Word"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • Rule file follows naming conventions: proc_creation_win_macro_cli.yml

  • Structure includes id, description, references, and appropriate ATT&CK tags

  • Tags: attack.t1566.001, attack.t1059.001, attack.execution

  • MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment) is the main detection focus

  • References included to support technique

  • Rule status is set to experimental

  • Detection logic uses CommandLine|contains and ParentImage|endswith on Office apps

arjun-tarakesh avatar May 10 '25 15:05 arjun-tarakesh

Hi, There is allready the https://github.com/SigmaHQ/sigma/blob/b062d8ad650054cd20836d5ba38031090b8d8c33/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml

You can use https://sigmasearchengine.com/ to search

frack113 avatar May 11 '25 06:05 frack113

Member

Hi @frack113,

Thank you so much for the helpful insight — and apologies for the duplication earlier. I'm a first-time contributor and still getting familiar with the repo structure and search workflows.

Based on your feedback, I’ve updated my rule to focus on suspicious command-line arguments used to launch Office applications (like /m, .dotm, AutoOpen), which may indicate macro-based execution triggered via phishing.

I used the Sigma search engine to double-check and couldn't find an existing rule that specifically detects Office command-line macro execution patterns — but please let me know if I missed anything. Would you mind taking a look and confirming if the update now looks okay?

arjun-tarakesh avatar May 11 '25 10:05 arjun-tarakesh