Add rule: Office Macro Phishing Initial Access detection

[arjun-tarakesh]

Summary of the Pull Request

Added a Sigma rule that detects Microsoft Office applications (such as Word, Excel, PowerPoint) launched with suspicious command-line arguments. These arguments (e.g., /m, .dotm, AutoOpen) are frequently associated with auto-executing macros often leveraged in phishing campaigns for initial access. This detection aligns with MITRE ATT&CK technique T1566.001.

Changelog

new: Suspicious Office Macro Execution via CLI Arguments

Example Log Event

{
  "UtcTime": "2025-05-11T10:42:00.000Z",
  "EventID": 1,
  "Image": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE",
  "CommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\" /m AutoOpen /q",
  "ParentImage": "C:\\Windows\\explorer.exe",
  "OriginalFileName": "WINWORD.EXE",
  "User": "CORP\\target.user",
  "ProcessId": 5432,
  "ParentProcessId": 567,
  "LogonId": "0x3e7",
  "IntegrityLevel": "Medium",
  "Hashes": "SHA256=abcdef123456...",
  "Company": "Microsoft Corporation",
  "Description": "Microsoft Word"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

• Rule file follows naming conventions: proc_creation_win_macro_cli.yml

• Structure includes id, description, references, and appropriate ATT&CK tags

• Tags: attack.t1566.001, attack.t1059.001, attack.execution

• MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment) is the main detection focus

• References included to support technique

• Rule status is set to experimental

• Detection logic uses CommandLine|contains and ParentImage|endswith on Office apps

[github-actions]

Welcome @arjun-tarakesh 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[frack113]

Hi,
There is allready the https://github.com/SigmaHQ/sigma/blob/b062d8ad650054cd20836d5ba38031090b8d8c33/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml

You can use https://sigmasearchengine.com/ to search

[arjun-tarakesh]

Member

Hi @frack113,

Thank you so much for the helpful insight — and apologies for the duplication earlier. I'm a first-time contributor and still getting familiar with the repo structure and search workflows.

Based on your feedback, I’ve updated my rule to focus on suspicious command-line arguments used to launch Office applications (like /m, .dotm, AutoOpen), which may indicate macro-based execution triggered via phishing.

I used the Sigma search engine to double-check and couldn't find an existing rule that specifically detects Office command-line macro execution patterns — but please let me know if I missed anything. Would you mind taking a look and confirming if the update now looks okay?