
Summary
This rule is designed to detect the creation of new Office macro files on Windows systems, specifically targeting file extensions associated with macro-enabled documents. The primary focus is on file types such as .docm, .dotm, .xlsm, .xltm, .potm, and .pptm. The presence of such files could indicate potential malicious activity, particularly in environments where macro-based exploits are a concern. The detection is carried out by monitoring file event logs and identifying new files that match the specified extensions. Given the potential for false positives in environments that commonly utilize macro-enabled files, the rule is set to a low severity level. This enables security teams to focus on legitimate threats while managing the high volume of typical macro usage in various business processes.
Categories
- Windows
- Endpoint
Data Sources
- File
ATT&CK Techniques
- T1566.001
Created: 2022-01-23