Adversaries may use suspicious OLE files as a vector to deliver malicious payloads, leveraging the common trust placed on document formats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access attempts and mitigate lateral movement risks.
YARA Rule
rule Maldoc_Suspicious_OLE_target {
meta:
description = "Detects maldoc With Tartgeting Suspicuios OLE"
author = "Donguk Seo"
reference = "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/"
filetype = "Office documents"
date = "2018-06-13"
strings:
$env1 = /oleObject".*Target=.*.http.*.doc"/
$env2 = /oleObject".*Target=.*.http.*.ppt"/
$env3 = /oleObject".*Target=.*.http.*.xlx"/
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a .docm file for a scheduled report, which includes a macro for automation.
Filter/Exclusion: process.name != "powershell.exe" OR file.name != "*.docm"
Scenario: A Windows Task Scheduler job is configured to run a .dotm file that contains a legitimate macro for data export.
Filter/Exclusion: process.name != "schtasks.exe" OR file.name != "*.dotm"
Scenario: A Microsoft Word document is being created by a user using Microsoft Word Online (OneDrive), which includes a macro for formatting.
Filter/Exclusion: process.name != "WINWORD.EXE" OR file.name != "*.docm"
Scenario: A System Center Configuration Manager (SCCM) task is deploying a .docx file with embedded scripts for patch management.
Filter/Exclusion: process.name != "CCMExec.exe" OR file.name != "*.docx"
Scenario: A Power Automate flow is generating a .xlsb file with macros for data processing, which is part of an automated business process.
Filter/Exclusion: process.name != "PowerAutomate.exe" OR file.name != "*.xlsb"