Adversaries may be using PowerShell command fragments and variable names from a malicious macro in an XLSX file to execute stealthy code within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential macro-based attacks that evade traditional detection methods.
YARA Rule
rule FE_LEGALSTRIKE_MACRO_2 {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
strings:
// Setting the environment
$env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
$env2 = "windir = Environ(\"windir\")" ascii wide
$env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
// powershell command fragments
$ps1 = "-NoP" ascii wide
$ps2 = "-NonI" ascii wide
$ps3 = "-W Hidden" ascii wide
$ps4 = "-Command" ascii wide
$ps5 = "New-Object IO.StreamReader" ascii wide
$ps6 = "IO.Compression.DeflateStream" ascii wide
$ps7 = "IO.MemoryStream" ascii wide
$ps8 = ",$([Convert]::FromBase64String" ascii wide
$ps9 = "ReadToEnd();" ascii wide
$psregex1 = /\W\w+\s+\s\".+\"/
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($env*) and 6 of ($ps*)
or
all of ($env*) and 4 of ($ps*) and all of ($psregex*)
)
)
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a PowerShell script to clean temporary files or update system settings.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks.exe /run"
Scenario: PowerShell-based Administrative Task (e.g., Group Policy Update)
Description: An admin uses PowerShell to update group policies or configure system settings.
Filter/Exclusion: process.user == "SYSTEM" or process.command_line contains "gpupdate"
Scenario: Scripted Software Deployment via SCCM
Description: A Systems Center Configuration Manager (SCCM) deployment script runs PowerShell commands to install software.
Filter/Exclusion: process.parent_process_name == "ccmexec.exe" or process.command_line contains "ccmexec"
Scenario: PowerShell Module Import for Reporting
Description: A report generation script imports a PowerShell module to access internal data sources.
Filter/Exclusion: process.command_line contains "Import-Module" and process.user == "Domain\\ReportingUser"
Scenario: Legacy Macro Execution in Excel for Data Processing
Description: A legacy Excel macro (VBA) uses PowerShell to process data, which may include command fragments seen in the rule.
Filter/Exclusion: process.file_name contains "excel.exe" and process.parent_process_name contains "excel.exe"