Add rule: Office Macro Phishing Initial Access detection #5411
Conversation
There was a problem hiding this comment.
Welcome @arjun-tarakesh 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
|
Hi, You can use https://sigmasearchengine.com/ to search |
Hi @frack113, Thank you so much for the helpful insight — and apologies for the duplication earlier. I'm a first-time contributor and still getting familiar with the repo structure and search workflows. Based on your feedback, I’ve updated my rule to focus on suspicious command-line arguments used to launch Office applications (like /m, .dotm, AutoOpen), which may indicate macro-based execution triggered via phishing. I used the Sigma search engine to double-check and couldn't find an existing rule that specifically detects Office command-line macro execution patterns — but please let me know if I missed anything. Would you mind taking a look and confirming if the update now looks okay? |
| - '/m' | ||
| - '/t' | ||
| - '/n' | ||
| - '.dotm' | ||
| - 'AutoOpen' | ||
| - 'AutoClose' | ||
| - '/q' | ||
| - '/quiet' | ||
| - '/h' |
There was a problem hiding this comment.
Hey @arjun-tarakesh
This notation means an or. So this rule is saying as long as any of the image above have one of these flag, it should trigger.
Not all of these flags are relevant to what you are trying to detect. I suggest you keep only those that are macro related and take care of the potential FP that might occur.
I suggest you give this a read https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6
| author: arjun-tarakesh | ||
| date: 2025/05/11 | ||
| references: | ||
| - 'https://attack.mitre.org/techniques/T1566/001/' |
There was a problem hiding this comment.
| - 'https://attack.mitre.org/techniques/T1566/001/' | |
| - https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6 |
| condition: selection_parent and selection_cmdline | ||
|
|
There was a problem hiding this comment.
You do not need to leave spaces between sections. Please make sure of that for the rest of the rule.
| condition: selection_parent and selection_cmdline | |
| condition: selection_parent and selection_cmdline |
Summary of the Pull Request
Added a Sigma rule that detects Microsoft Office applications (such as Word, Excel, PowerPoint) launched with suspicious command-line arguments. These arguments (e.g., /m, .dotm, AutoOpen) are frequently associated with auto-executing macros often leveraged in phishing campaigns for initial access. This detection aligns with MITRE ATT&CK technique T1566.001.
Changelog
new: Suspicious Office Macro Execution via CLI Arguments
Example Log Event
{ "UtcTime": "2025-05-11T10:42:00.000Z", "EventID": 1, "Image": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "CommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\" /m AutoOpen /q", "ParentImage": "C:\\Windows\\explorer.exe", "OriginalFileName": "WINWORD.EXE", "User": "CORP\\target.user", "ProcessId": 5432, "ParentProcessId": 567, "LogonId": "0x3e7", "IntegrityLevel": "Medium", "Hashes": "SHA256=abcdef123456...", "Company": "Microsoft Corporation", "Description": "Microsoft Word" }Fixed Issues
SigmaHQ Rule Creation Conventions
Rule file follows naming conventions: proc_creation_win_macro_cli.yml
Structure includes id, description, references, and appropriate ATT&CK tags
Tags: attack.t1566.001, attack.t1059.001, attack.execution
MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment) is the main detection focus
References included to support technique
Rule status is set to experimental
Detection logic uses CommandLine|contains and ParentImage|endswith on Office apps