Executable Written and Executed by Microsoft Office Applications¶
Identifies an executable file written by a Microsoft Office application where that same executable is later ran as it’s own process. This behavior can be indicative of suspicious activity possibly tied to macro objects or technologies used for command execution such as Dynamic Data Exchange (DDE).
| id: | 2b512bec-b28d-4a84-9253-2c691bedb7bc |
|---|---|
| categories: | detect |
| confidence: | high |
| os: | windows |
| created: | 12/04/2019 |
| updated: | 12/04/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Execution |
|---|---|
| techniques: | T1204 User Execution, T1173 Dynamic Data Exchange |
Query¶
sequence with maxspan=3d
[file where file_name == "*.exe" and process_name in ("winword.exe", "excel.exe", "powerpnt.exe")] by file_path
[process where true] by process_path