macrocheck

Hunt Hypothesis

The macrocheck rule detects potential adversary behavior involving the execution of suspicious macros within documents, which could be used to deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.

YARA Rule

rule macrocheck : maldoc
{
    meta:
        Author      = "Fireeye Labs"
        Date        = "2014/11/30" 
        Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"

    strings:
        $PARAMpword = "pword=" ascii wide
        $PARAMmsg = "msg=" ascii wide
        $PARAMuname = "uname=" ascii
        $userform = "UserForm" ascii wide
        $userloginform = "UserLoginForm" ascii wide
        $invalid = "Invalid username or password" ascii wide
        $up1 = "uploadPOST" ascii wide
        $up2 = "postUpload" ascii wide
 
    condition:
        all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled task that includes a macro-like command for automation.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the command line containing schtasks or schtasks.exe.

• Scenario: A developer is using Visual Studio to debug a macro-enabled Excel file as part of a legitimate business process.
  Filter/Exclusion: Exclude processes running under the Visual Studio process name (devenv.exe) or with the file path containing Microsoft.Excel.

• Scenario: A security tool like Malwarebytes or Kaspersky is performing a scan and generates a macro-related alert during its analysis.
  Filter/Exclusion: Exclude processes with the parent process name mbam.exe, kav64.exe, or similar security tool executables.

• Scenario: A system update or patching tool like Windows Update or WSUS includes a temporary macro file during installation.
  Filter/Exclusion: Exclude processes initiated by wuauclt.exe or wsusutil.exe and files located in system directories like C:\Windows\Temp.

• Scenario: A DevOps pipeline (e.g., Jenkins, Azure DevOps) runs a script that includes a macro-like command for configuration management.
  Filter/Exclusion: Exclude processes with the parent process name jenkins.exe, azure-pipelines.exe, or files located in a known CI/CD working directory.