Adversaries may generate documents using Microsoft Word Interop (MWI) to exfiltrate data or create malicious payloads, leveraging the legitimate tool to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics that bypass traditional detection methods.
YARA Rule
rule mwi_document: exploitdoc maldoc
{
meta:
description = "MWI generated document"
author = "@Ydklijnsma"
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
strings:
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
$mwistat_url = ".php?id="
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator generates a report using Power BI for internal auditing purposes.
Filter/Exclusion: Exclude documents created by users with the Power BI application or specific Power BI report generation processes.
Scenario: A scheduled backup job using Veeam Backup & Replication generates temporary documentation files during the backup process.
Filter/Exclusion: Exclude files created by Veeam Backup & Replication processes or during scheduled backup windows.
Scenario: A Windows Task Scheduler job runs a script that generates a log file for troubleshooting purposes.
Filter/Exclusion: Exclude files created by Task Scheduler tasks or processes with known scheduled task identifiers.
Scenario: A Microsoft Word document is auto-generated by a SharePoint workflow for document approval.
Filter/Exclusion: Exclude documents created by SharePoint workflows or with specific document library paths.
Scenario: A PowerShell script runs as part of a Windows Admin Center task to generate a system health report.
Filter/Exclusion: Exclude files created by PowerShell scripts associated with Windows Admin Center or specific admin task identifiers.