Skip to content

Add rule for arbitrary file download via msoxmled.exe (LOLBAS)#6072

Open
cor-b wants to merge 4 commits into
SigmaHQ:masterfrom
cor-b:rule/msoxmled-arbitrary-download
Open

Add rule for arbitrary file download via msoxmled.exe (LOLBAS)#6072
cor-b wants to merge 4 commits into
SigmaHQ:masterfrom
cor-b:rule/msoxmled-arbitrary-download

Conversation

@cor-b

@cor-b cor-b commented Jun 21, 2026

Copy link
Copy Markdown

Summary of the Pull Request

Adds a detection rule for arbitrary file download via msoxmled.exe (Microsoft Office XML Editor, "Office XML Handler"), a newly documented LOLBAS binary (LOLBAS entry merged 2026-06-15). It can be abused with msoxmled.exe /verb open {REMOTE_URL} to pull a remote payload into INetCache (MITRE T1105, Ingress Tool Transfer). The rule mirrors the structure of the existing sibling rules for MsoHtmEd, MSPub, and ProtocolHandler.

Validated with evtx-sigma-checker against a real event, not a synthetic one. msoxmled.exe was executed on a live Microsoft 365 install (x64, build 16.0.20026) using the documented LOLBAS command with a benign target (Microsoft's own connectivity-test file). The resulting Sysmon Event ID 1 was exported and matched using the tests/thor.yml log-source config:

  • Fires on the real captured msoxmled.exe download event. The checker matched OriginalFileName, Image|endswith, and the https:// token in CommandLine.
  • Produces zero matches against the NextronSystems/evtx-baseline clean Windows datasets (no false positives).

On this build the binary ships at the Click-to-Run VFS path ...\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, which is why the rule keys on Image|endswith plus OriginalFileName rather than a fixed path.

References:

Changelog

new: Arbitrary File Download Via MSOXMLED.EXE

Example Log Event

Real Sysmon Event ID 1 captured from the execution described above (host and user values redacted, parent harness fields trimmed):

Process Create (Sysmon Event ID 1):
UtcTime: 2026-06-26 04:00:08.403
Image: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
FileVersion: 16.0.19530.20006
Description: Office XML Handler
Product: Microsoft Office
Company: Microsoft Corporation
OriginalFileName: msoxmled.exe
CommandLine: "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open https://www.msftconnecttest.com/connecttest.txt
CurrentDirectory: C:\Windows\system32\
User: <REDACTED>
IntegrityLevel: Medium
Hashes: SHA1=4D6411162B4D4571862B85F007A2218F61FE783C,MD5=21B74F3BE08A4120407C4C30E787AC07,SHA256=D04E285253A8655B1D5F03933848849EAB47C8EB89E74814DFA1791B46850BC9
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jun 21, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @cor-b 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

If you want to engage more with the community for official support, general discussions or announcements:

👉 Join our Discord server

@swachchhanda000 swachchhanda000 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @cor-b,

Thanks for the submission. We already have a generic rule catching arbitrary file download using a Microsoft Office application 4ae3e30b-b03f-43aa-87e3-b622f4048eed. SInce, this is also part of office application, It makes to update that existing rule. Please update that.

Cheers!

@swachchhanda000 swachchhanda000 added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Jul 2, 2026
swachchhanda000 and others added 2 commits July 2, 2026 14:59
Per maintainer review on PR SigmaHQ#6072: msoxmled.exe (Office XML Editor) is an
Office application binary, so add it to the existing generic rule
(4ae3e30b-b03f-43aa-87e3-b622f4048eed) instead of a standalone rule.

- Add '\MSOXMLED.EXE' / 'msoxmled.exe' to selection_img
- Add LOLBAS Msoxmled reference
- Remove the standalone proc_creation_win_msoxmled_download.yml
@cor-b

cor-b commented Jul 2, 2026

Copy link
Copy Markdown
Author

Hi @cor-b,

Thanks for the submission. We already have a generic rule catching arbitrary file download using a Microsoft Office application 4ae3e30b-b03f-43aa-87e3-b622f4048eed. SInce, this is also part of office application, It makes to update that existing rule. Please update that.

Cheers!

Thanks @swachchhanda000! Folded msoxmled.exe into 4ae3e30b (Image|endswith + OriginalFileName), added the LOLBAS reference, and removed the standalone rule. sigma check clean and re-tested against the baseline. Ready for re-review 🙏

@cor-b cor-b requested a review from swachchhanda000 July 2, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Author Input Required changes the require information from original author of the rules Review Needed The PR requires review Rules Windows Pull request add/update windows related rules Work In Progress Some changes are needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants