feat(rules): Microsoft Office file execution via WMI

Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.

Author: rabbitstack

rules/initial_access_microsoft_office_file_execution_via_wmi.yml

@@ -0,0 +1,32 @@
+name: Microsoft Office file execution via WMI
+id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152
+version: 1.0.0
+description: |
+  Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written 
+  by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com') or file.is_exec = true)| by file.path
+    |spawn_process and ps.name ~= 'wmiprvse.exe'| by ps.child.exe
+action:
+  - name: kill
+
+output: >
+  Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via WMI
+severity: high
+
+min-engine-version: 2.4.0