rabbitstack · rabbitstack · Apr 24, 2025 · Apr 21, 2025
diff --git a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml
@@ -0,0 +1,32 @@
+name: Microsoft Office file execution via WMI
+id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152
+version: 1.0.0
+description: |
+  Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written 
+  by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com') or file.is_exec = true)| by file.path
+    |spawn_process and ps.name ~= 'wmiprvse.exe'| by ps.child.exe
+action:
+  - name: kill
+
+output: >
+  Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via WMI
+severity: high
+
+min-engine-version: 2.4.0