Add rule for arbitrary file download via msoxmled.exe (LOLBAS)#6072
Add rule for arbitrary file download via msoxmled.exe (LOLBAS)#6072cor-b wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
Welcome @cor-b 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
If you want to engage more with the community for official support, general discussions or announcements:
swachchhanda000
left a comment
There was a problem hiding this comment.
Hi @cor-b,
Thanks for the submission. We already have a generic rule catching arbitrary file download using a Microsoft Office application 4ae3e30b-b03f-43aa-87e3-b622f4048eed. SInce, this is also part of office application, It makes to update that existing rule. Please update that.
Cheers!
Per maintainer review on PR SigmaHQ#6072: msoxmled.exe (Office XML Editor) is an Office application binary, so add it to the existing generic rule (4ae3e30b-b03f-43aa-87e3-b622f4048eed) instead of a standalone rule. - Add '\MSOXMLED.EXE' / 'msoxmled.exe' to selection_img - Add LOLBAS Msoxmled reference - Remove the standalone proc_creation_win_msoxmled_download.yml
Thanks @swachchhanda000! Folded msoxmled.exe into 4ae3e30b (Image|endswith + OriginalFileName), added the LOLBAS reference, and removed the standalone rule. sigma check clean and re-tested against the baseline. Ready for re-review 🙏 |
Summary of the Pull Request
Adds a detection rule for arbitrary file download via
msoxmled.exe(Microsoft Office XML Editor, "Office XML Handler"), a newly documented LOLBAS binary (LOLBAS entry merged 2026-06-15). It can be abused withmsoxmled.exe /verb open {REMOTE_URL}to pull a remote payload into INetCache (MITRE T1105, Ingress Tool Transfer). The rule mirrors the structure of the existing sibling rules for MsoHtmEd, MSPub, and ProtocolHandler.Validated with evtx-sigma-checker against a real event, not a synthetic one.
msoxmled.exewas executed on a live Microsoft 365 install (x64, build 16.0.20026) using the documented LOLBAS command with a benign target (Microsoft's own connectivity-test file). The resulting Sysmon Event ID 1 was exported and matched using thetests/thor.ymllog-source config:msoxmled.exedownload event. The checker matchedOriginalFileName,Image|endswith, and thehttps://token inCommandLine.On this build the binary ships at the Click-to-Run VFS path
...\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, which is why the rule keys onImage|endswithplusOriginalFileNamerather than a fixed path.References:
Changelog
new: Arbitrary File Download Via MSOXMLED.EXE
Example Log Event
Real Sysmon Event ID 1 captured from the execution described above (host and user values redacted, parent harness fields trimmed):
Fixed Issues
SigmaHQ Rule Creation Conventions