Query Details
Asr Executable Office Content
Query
# ASR Executable Office Content
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1137 | Office Application Startup | https://attack.mitre.org/techniques/T1137/ |
#### Description
The discroption of this ASR rule: This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This query tries to detect persistence via executable office content. Malicious executable files can be loaded when a infected office file is opened. This ASR rule does not generate a alert by default.
Note: The query for Sentinel is different then the one for MDE, this is because the FileProfile function is used, which is currently not supported by Sentinel. Therefore I suggest running this query in MDE for the best results.
#### Risk
A malcious Office Application has run and resulted in a attacker that gained Persistence
#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-creating-executable-content
## Defender For Endpoint
```
// To prevent False Positives a FilePrevalanceThreshold is used.
let FilePrevalanceThreshold = 100;
DeviceEvents
// Filter on the specific ActionTypes
| where ActionType in~ ('AsrExecutableOfficeContentAudited', 'AsrExecutableOfficeContentBlocked')
// Enrich results with File information
| invoke FileProfile('SHA1', 10000)
| where GlobalPrevalence <= FilePrevalanceThreshold
| project Timestamp, DeviceName, InitiatingProcessAccountUpn, FileName, FolderPath, ActionType, Signer, GlobalFirstSeen, GlobalPrevalence, SHA1, InitiatingProcessCommandLine, InitiatingProcessFolderPath
```
## Sentinel
```
DeviceEvents
// Filter on the specific ActionTypes
| where ActionType in~ ('AsrExecutableOfficeContentAudited', 'AsrExecutableOfficeContentBlocked')
// Enrich results with File information
| invoke FileProfile('SHA1', 10000)
| project TimeGenerated, DeviceName, InitiatingProcessAccountUpn, FileName, FolderPath, ActionType, SHA1, InitiatingProcessCommandLine, InitiatingProcessFolderPath
```Explanation
This query is used to detect persistence via executable office content. It looks for specific action types related to blocking or auditing executable office content in Office applications like Word, Excel, and PowerPoint. The query enriches the results with file information and includes details such as timestamp, device name, initiating process account, file name, folder path, action type, signer, global first seen, global prevalence, SHA1 hash, initiating process command line, and initiating process folder path. The query is slightly different for Defender for Endpoint and Sentinel due to the use of the FileProfile function, which is not supported in Sentinel.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceEvents
Keywords
Devices,Intune,User,ASR,Executable,Office,Content
Operators
|,in~,where,project,invoke