Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious Process Injection from Office application

Suspicious Process Injection from Office application

Back
Ida4d8e681-6f30-440a-a2f3-c312bc1389d0
RulenameSuspicious Process Injection from Office application
DescriptionThis query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)

that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something

longer running.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml
Version1.0.0
Arm templatea4d8e681-6f30-440a-a2f3-c312bc1389d0.json
Deploy To Azure
DeviceEvents 
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where InitiatingProcessCommandLine !contains "/dde"
| where not(InitiatingProcessCommandLine has_any (".docx", "dotx",".xlsx", ".xltx", ".pptx")) // These files can't contain macros.
// Enable the line below if the results are too noisy.
//| where InitiatingProcessCommandLine has_any (".doc", ".wbk", ".docm", ".dot", ".dotm" ".xls", ".xlsm", ".xltm", ".xla",".xll", ".xlam", ".ppt", ".pptm", ".pot", ".potm", ".ppsm", ".sldm") 

relevantTechniques:
- T1204
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml
triggerOperator: gt
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: InitiatingProcessAccountSid
    identifier: Sid
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: InitiatingProcessCommandLine
    identifier: CommandLine
  entityType: Process
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 1h
query: |
  DeviceEvents 
  | where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
  | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
  | where InitiatingProcessCommandLine !contains "/dde"
  | where not(InitiatingProcessCommandLine has_any (".docx", "dotx",".xlsx", ".xltx", ".pptx")) // These files can't contain macros.
  // Enable the line below if the results are too noisy.
  //| where InitiatingProcessCommandLine has_any (".doc", ".wbk", ".docm", ".dot", ".dotm" ".xls", ".xlsm", ".xltm", ".xla",".xll", ".xlam", ".ppt", ".pptm", ".pot", ".potm", ".ppsm", ".sldm")   
version: 1.0.0
description: |
  This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)
  that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something
  longer running.   
tactics:
- Execution
severity: Medium
name: Suspicious Process Injection from Office application
queryFrequency: 1h
triggerThreshold: 0
status: Available
id: a4d8e681-6f30-440a-a2f3-c312bc1389d0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d8e681-6f30-440a-a2f3-c312bc1389d0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d8e681-6f30-440a-a2f3-c312bc1389d0')]",
      "properties": {
        "alertRuleTemplateName": "a4d8e681-6f30-440a-a2f3-c312bc1389d0",
        "customDetails": null,
        "description": "This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)\nthat might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something\nlonger running. \n",
        "displayName": "Suspicious Process Injection from Office application",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingProcessAccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeProcessInjection.yaml",
        "query": "DeviceEvents \n| where ActionType in (\"CreateRemoteThreadApiCall\", \"QueueUserApcRemoteApiCall\", \"SetThreadContextRemoteApiCall\")\n| where InitiatingProcessFileName in~ (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")\n| where InitiatingProcessCommandLine !contains \"/dde\"\n| where not(InitiatingProcessCommandLine has_any (\".docx\", \"dotx\",\".xlsx\", \".xltx\", \".pptx\")) // These files can't contain macros.\n// Enable the line below if the results are too noisy.\n//| where InitiatingProcessCommandLine has_any (\".doc\", \".wbk\", \".docm\", \".dot\", \".dotm\" \".xls\", \".xlsm\", \".xltm\", \".xla\",\".xll\", \".xlam\", \".ppt\", \".pptm\", \".pot\", \".potm\", \".ppsm\", \".sldm\") \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}