MS Office Template Injection

Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents.

id:bba65411-cf61-4d7c-a9a8-a2021684e9ca categories:detect confidence:low os:windows created:02/12/2020 updated:02/12/2020

MITRE ATT&CK™ Mapping

tactics:Defense Evasion techniques:T1221 Template Injection

Query

sequence by unique_pid
  [process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")]
  [dns where not wildcard(query_name, "*.microsoft.com", "*.skype.com")]
  [network where true]

Contributors

• Daniel Stepanic

References

• https://www.elastic.co/blog/playing-defense-against-gamaredon-group