Detection of Office Macro File Creation

The creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim’s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.

Attack Chain

1. An attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.
2. The attacker sends the malicious document as an attachment via email (spearphishing).
3. The user receives the email and opens the attached Office document.
4. The user is prompted to enable macros within the document.
5. If the user enables macros, the embedded VBA code executes.
6. The VBA code may execute PowerShell or other scripting languages to download a malicious payload.
7. The downloaded payload is saved to disk (e.g., in the user’s temp directory).
8. The payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.

Impact

Successful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker’s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.

Recommendation

• Deploy the Sigma rule Office Macro File Creation to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).
• Investigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.
• Implement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.
• Enable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.