Find sigma rule 
Attack: User Execution: Malicious File
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
MITRE
Tactic
- execution
technique
- T1204.002
Test : Excel 4 Macro
OS
- windows
Description:
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a “malicious” VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you’d like to utilize the “=GET.WORKSPACE(26)” method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username
Executor
powershell
Sigma Rule
-
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
-
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)
-
image_load_office_vbadll_load.yml (id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9)
-
file_event_win_office_susp_file_extension.yml (id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4)
-
net_connection_win_office_outbound_non_local_ip.yml (id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84)
-
proc_creation_win_wscript_cscript_dropper.yml (id: cea72823-df4d-4567-950c-0b579eaf0846)
-
image_load_dll_credui_uncommon_process_load.yml (id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784)
-
registry_add_pua_sysinternals_execution_via_eula.yml (id: 25ffa65d-76d8-4da5-a832-3f2b0136e133)
-
proc_access_win_lsass_susp_source_process.yml (id: fa34b441-961a-42fa-a100-ecc28c886725)