Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious Process Injection from Office application

Suspicious Process Injection from Office application

Back
Ida4d8e681-6f30-440a-a2f3-c312bc1389d0
RulenameSuspicious Process Injection from Office application
DescriptionThis query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml
Version1.0.1
Arm templatea4d8e681-6f30-440a-a2f3-c312bc1389d0.json
Deploy To Azure
DeviceEvents 
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where InitiatingProcessCommandLine !contains "/dde"
| where not(InitiatingProcessCommandLine has_any (".docx", "dotx",".xlsx", ".xltx", ".pptx")) // These files can't contain macros.
// Enable the line below if the results are too noisy.
//| where InitiatingProcessCommandLine has_any (".doc", ".wbk", ".docm", ".dot", ".dotm" ".xls", ".xlsm", ".xltm", ".xla",".xll", ".xlam", ".ppt", ".pptm", ".pot", ".potm", ".ppsm", ".sldm") 

requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  DeviceEvents 
  | where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
  | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
  | where InitiatingProcessCommandLine !contains "/dde"
  | where not(InitiatingProcessCommandLine has_any (".docx", "dotx",".xlsx", ".xltx", ".pptx")) // These files can't contain macros.
  // Enable the line below if the results are too noisy.
  //| where InitiatingProcessCommandLine has_any (".doc", ".wbk", ".docm", ".dot", ".dotm" ".xls", ".xlsm", ".xltm", ".xla",".xll", ".xlam", ".ppt", ".pptm", ".pot", ".potm", ".ppsm", ".sldm")   
description: |
    This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running. 
kind: Scheduled
name: Suspicious Process Injection from Office application
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml
relevantTechniques:
- T1204
entityMappings:
- fieldMappings:
  - identifier: Sid
    columnName: InitiatingProcessAccountSid
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: NTDomain
    columnName: InitiatingProcessAccountDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: CommandLine
    columnName: InitiatingProcessCommandLine
  entityType: Process
queryFrequency: 1h
version: 1.0.1
tactics:
- Execution
id: a4d8e681-6f30-440a-a2f3-c312bc1389d0
triggerThreshold: 0
status: Available
queryPeriod: 1h
triggerOperator: gt
severity: Medium

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d8e681-6f30-440a-a2f3-c312bc1389d0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d8e681-6f30-440a-a2f3-c312bc1389d0')]",
      "properties": {
        "alertRuleTemplateName": "a4d8e681-6f30-440a-a2f3-c312bc1389d0",
        "customDetails": null,
        "description": "This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running. \n",
        "displayName": "Suspicious Process Injection from Office application",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingProcessAccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml",
        "query": "DeviceEvents \n| where ActionType in (\"CreateRemoteThreadApiCall\", \"QueueUserApcRemoteApiCall\", \"SetThreadContextRemoteApiCall\")\n| where InitiatingProcessFileName in~ (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")\n| where InitiatingProcessCommandLine !contains \"/dde\"\n| where not(InitiatingProcessCommandLine has_any (\".docx\", \"dotx\",\".xlsx\", \".xltx\", \".pptx\")) // These files can't contain macros.\n// Enable the line below if the results are too noisy.\n//| where InitiatingProcessCommandLine has_any (\".doc\", \".wbk\", \".docm\", \".dot\", \".dotm\" \".xls\", \".xlsm\", \".xltm\", \".xla\",\".xll\", \".xlam\", \".ppt\", \".pptm\", \".pot\", \".potm\", \".ppsm\", \".sldm\") \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}