Name:Office Document Executing Macro Code id:b12c89bc-9d06-11eb-a592-acde48001122 version:7 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk. Data_source:
-Sysmon EventID 7
search:`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. known_false_positives:False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. References: -https://www.joesandbox.com/analysis/386500/0/html -https://www.joesandbox.com/analysis/702680/0/html -https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ -https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing -https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ -https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Spearphishing Attachments' - 'Trickbot' - 'IcedID' - 'DarkCrystal RAT' - 'AgentTesla' - 'Qakbot' - 'Azorult' - 'Remcos' - 'PlugX' - 'NjRAT' asset_type:Endpoint confidence:50 impact:70 message:Office document executing a macro on $dest$ mitre_attack_id: - 'T1566' - 'T1566.001' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'ImageLoaded' - 'AllImageLoaded' - 'dest' - 'EventCode' - 'Image' - 'process_name' - 'ProcessId' - 'ProcessGuid' - '_time' risk_score:35 security_domain:endpoint
