ppaction

Hunt Hypothesis

The ppaction rule detects potential adversary behavior involving the use of PowerShell to execute arbitrary commands, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe breaches.

YARA Rule

rule ppaction {

meta:
	ref = "https://blog.nviso.be/2017/06/07/malicious-powerpoint-documents-abusing-mouse-over-actions/amp/"
	Description = "Malicious PowerPoint Documents Abusing Mouse Over Actions"
  hash = "68fa24c0e00ff5bc1e90c96e1643d620d0c4cda80d9e3ebeb5455d734dc29e7"

strings:
$a = "ppaction" nocase
condition:
$a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as Windows Task Scheduler running a cleanup or disk defragmentation tool, may trigger the rule due to similar process names or behaviors.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler and filter by process names like defrag.exe, cleanmgr.exe, or dism.exe.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Kaspersky, Bitdefender, or Microsoft Defender may execute processes that resemble malicious activity during a full system scan.
  Filter/Exclusion: Exclude processes with parent processes from antivirus vendors or filter by known safe process names like mpsvc.exe, mfev.exe, or avp.exe.

• Scenario: Database Backup Job
  Description: A database backup job using tools like MySQL Backup Utility, pg_dump (PostgreSQL), or SQL Server Backup may trigger the rule due to similar command-line arguments or process names.
  Filter/Exclusion: Exclude processes with parent processes related to database services (e.g., mysql.exe, sqlservr.exe) or filter by known backup tools.

• Scenario: Software Update Deployment
  Description: Tools like Chocolatey, WSUS, or Microsoft Endpoint Configuration Manager may execute processes that match the rule’s signature during software update deployment.
  Filter/Exclusion: Exclude processes with parent processes from update management tools or filter by process names like choco.exe, wsusutil.exe, or ccmexec.exe.

• Scenario: Log File Processing by SIEM Tools
  Description: SIEM tools like Splunk, ELK Stack, or QRadar may process log files and trigger the rule