From 53cee559c3c531a0e15162b87a6bc84f9cbf3fb0 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Wed, 17 Dec 2025 13:59:09 -0600 Subject: [PATCH 1/4] Create attachment_powerpoint_generated.yml --- .../attachment_powerpoint_generated.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 detection-rules/attachment_powerpoint_generated.yml diff --git a/detection-rules/attachment_powerpoint_generated.yml b/detection-rules/attachment_powerpoint_generated.yml new file mode 100644 index 00000000000..bad3d993a4a --- /dev/null +++ b/detection-rules/attachment_powerpoint_generated.yml @@ -0,0 +1,24 @@ +name: "Attachment: PowerPoint file generated with python-pptx library" +description: "Detects PowerPoint presentations (.ppt, .pptx) or OpenDocument presentations (.odt) that contain strings indicating they were created using the python-pptx library, which may suggest automated generation for malicious purposes." +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + (.file_extension in~ ("ppt", "pptx", "odt")) + and any(file.explode(.), + strings.icontains(.scan.strings.raw, + "generated using python-pptx" + ) + ) + ) +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Content analysis" From 72baff1ba1409c7e715881682a8434f5994f3fbc Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 17 Dec 2025 20:02:03 +0000 Subject: [PATCH 2/4] Auto add rule ID --- detection-rules/attachment_powerpoint_generated.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_powerpoint_generated.yml b/detection-rules/attachment_powerpoint_generated.yml index bad3d993a4a..3627b8115f0 100644 --- a/detection-rules/attachment_powerpoint_generated.yml +++ b/detection-rules/attachment_powerpoint_generated.yml @@ -22,3 +22,4 @@ detection_methods: - "Archive analysis" - "File analysis" - "Content analysis" +id: "7bb3fb81-26a0-56e7-9eeb-880d41c12541" From 4440fff2fcf8194ec6874e5d795ebc16743bdd8c Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Wed, 17 Dec 2025 14:18:49 -0600 Subject: [PATCH 3/4] Update attachment_powerpoint_generated.yml --- detection-rules/attachment_powerpoint_generated.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/detection-rules/attachment_powerpoint_generated.yml b/detection-rules/attachment_powerpoint_generated.yml index 3627b8115f0..790d49ba93c 100644 --- a/detection-rules/attachment_powerpoint_generated.yml +++ b/detection-rules/attachment_powerpoint_generated.yml @@ -5,12 +5,11 @@ severity: "high" source: | type.inbound and any(attachments, - (.file_extension in~ ("ppt", "pptx", "odt")) - and any(file.explode(.), - strings.icontains(.scan.strings.raw, - "generated using python-pptx" - ) - ) + // + // This rule makes use of a beta feature and is subject to change without notice + // using the beta feature in custom rules is not suggested until it has been formally released + // + any(beta.parse_exif(.).fields, .value == "generated using python-pptx") ) attack_types: - "Malware/Ransomware" From 746b38f9cf12dd436b79eece4a24c341cdfbaa98 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Mon, 22 Dec 2025 16:47:55 -0600 Subject: [PATCH 4/4] Update attachment_powerpoint_generated.yml --- detection-rules/attachment_powerpoint_generated.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_powerpoint_generated.yml b/detection-rules/attachment_powerpoint_generated.yml index 790d49ba93c..a8f973df632 100644 --- a/detection-rules/attachment_powerpoint_generated.yml +++ b/detection-rules/attachment_powerpoint_generated.yml @@ -4,7 +4,7 @@ type: "rule" severity: "high" source: | type.inbound - and any(attachments, + and any(filter(attachments, .file_extension in~ ("ppt", "pptx", "odt")), // // This rule makes use of a beta feature and is subject to change without notice // using the beta feature in custom rules is not suggested until it has been formally released