Attack Chain

1. A user opens a malicious Microsoft Office document (e.g., Word, Excel, PowerPoint).
2. The document contains a malicious script or exploits a vulnerability in the Office application.
3. The Office application (e.g., WINWORD.EXE) writes a new executable file (.exe) to disk, often in a temporary directory or user-writable location.
4. The malicious script or exploit executes the newly created executable file.
5. The executed file performs malicious actions, such as downloading additional malware, establishing persistence, or compromising sensitive data.
6. The malware may attempt to escalate privileges to gain broader access to the system.
7. The malware may attempt to move laterally to other systems on the network.
8. The final objective could be data exfiltration, ransomware deployment, or other malicious activities.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or take control of the compromised system. Depending on the privileges of the user and the nature of the malware, this can result in significant data loss, system disruption, and potential financial damage. If lateral movement is successful, the attacker may compromise multiple systems, increasing the scope of the attack.

Recommendation

• Enable process creation logging in Windows and monitor for the execution of executable files written or modified by Microsoft Office applications to activate the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM and tune for your specific environment.
• Investigate any alerts generated by the Sigma rules, focusing on the parent process, file path, and command-line arguments of the executed file.
• Implement application control policies to restrict the execution of unauthorized executables in user-writable directories.