From 290c57145fb50fe8d06ea92e7af9e25081953bb8 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 21 Apr 2025 21:26:17 +0200
Subject: [PATCH] feat(rules): Microsoft Office file execution via WMI

Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.
---
 ...icrosoft_office_file_execution_via_wmi.yml | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 rules/initial_access_microsoft_office_file_execution_via_wmi.yml

diff --git a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml
new file mode 100644
index 000000000..10e36a4ce
--- /dev/null
+++ b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml
@@ -0,0 +1,32 @@
+name: Microsoft Office file execution via WMI
+id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152
+version: 1.0.0
+description: |
+  Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written 
+  by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com') or file.is_exec = true)| by file.path
+    |spawn_process and ps.name ~= 'wmiprvse.exe'| by ps.child.exe
+action:
+  - name: kill
+
+output: >
+  Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via WMI
+severity: high
+
+min-engine-version: 2.4.0