Sigma rules for CVE-2008-3012
104 rules · scoped to cve · back to CVE-2008-3012
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: |
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_office_root:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Office'
- '\Software\Microsoft\Office'
selection_office_details:
TargetObject|contains:
- '\Word\Addins'
- '\PowerPoint\Addins'
- '\Outlook\Addins'
- '\Onenote\Addins'
- '\Excel\Addins'
- '\Access\Addins'
- 'test\Special\Perf'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_known_addins:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\PROGRA~2\MICROS~2\Office'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe '
TargetObject|contains:
# Remove any unused addins in your environment from the filter
# Known addins for excel
- '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
- '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
- '\Excel\Addins\NativeShim\'
- '\Excel\Addins\NativeShim.InquireConnector.1\'
- '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
# Known addins for outlook
- '\Outlook\AddIns\AccessAddin.DC\'
- '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
- '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
- '\Outlook\AddIns\EvernoteOLRD.Connect\'
# - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
- '\Outlook\Addins\\OneNote.OutlookAddin'
- '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
- '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
- '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
- '\Outlook\Addins\OcOffice.OcForms\'
- '\Outlook\Addins\OscAddin.Connect\'
- '\Outlook\Addins\OutlookChangeNotifier.Connect\'
- '\Outlook\Addins\UCAddin.LyncAddin.1'
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
- 'AddinTakeNotesService\FriendlyName'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
# These filters are not exhaustive, filter can be expanded based on environment
condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software or add-in installations and administrative configurations
- Automatic registry modifications during legitimate software installations
level: medium
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
- attack.persistence
- attack.t1137.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
condition: selection
falsepositives:
- Unlikely
level: medium
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
- id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
TargetFilename|contains: '\~$' # Temporary files created by Office applications
condition: selection and not 1 of filter_main_*
falsepositives:
- Very common in environments that rely heavily on macro documents
level: low
title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
- id: 91174a41-dc8f-401b-be89-7bfc140612a0
type: similar
status: test
description: |
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_processes:
Image|endswith:
# Email clients
- '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
- '\outlook.exe'
- '\thunderbird.exe'
# Browsers
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
selection_ext:
- TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
- TargetFilename|contains:
- '.docm:Zone'
- '.dotm:Zone'
- '.xlsm:Zone'
- '.xltm:Zone'
- '.potm:Zone'
- '.pptm:Zone'
condition: all of selection_*
falsepositives:
- Legitimate macro files downloaded from the internet
- Legitimate macro files sent as attachments via emails
level: low