Here is another sample that uses metadata for command execution. The word "powershell" was removed but the rest of the command is still there. I don't have the sample or pcaps for this one.

2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490 > https://www.virustotal.com/#/file/2dbba3c394ee4562112e45293ecf89e66eb0f559a05bbed4f1f7fa6542ef6490/detection

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000160; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|net.webclient"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000161; rev:1;)

Thanks.
YM

From: Snort-sigs <snort-sigs-bounces@lists.snort.org> on behalf of Y M via Snort-sigs <snort-sigs@lists.snort.org>
Sent: Monday, June 11, 2018 10:13 PM
To: snort-sigs
Subject: [Snort-sigs] Office documents with commands in metadata
 
Hi,

This an attempt to detect documents with executable commands (certutil and powershell) in their metadata, which are accessed via embedded VBScript. Lab-generated pcaps of malicious documents are available. I added these under indicator-compromise, but I'm not sure if this is the appropriate category. Oh, and I am not sure if this a good detection idea; more testing is needed.

# --------------------
# Date: 2018-06-10
# Title: Office files with executable commands in metadata
# Reference: Research
# Hashes:
#     - f5f9f7f800a1f637395f34255e9937a878612573acf61dd41e1022869683e5da (no metadata)
#     - f87837b933d0cda0b23c1b2be6a05db40d480fe87edd9494f026b351e571f6aa
#     - fd8a6da88cfb37a8a220f4c5fb5bebc6dc8800e844a8ba843200037c86790c26
# Tests: pcap
# Confidence: low
# Notes: Seen in documents with CobaltStrike beaconing

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|certutil "; within:command_depth; nocase; content:" http"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000115; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Office document with executable command in metadata"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|1E 00 00 00|"; nocase; byte_extract:1,0,command_depth,relative; content:"|00 00|powershell"; within:command_depth; nocase; content:"|1E 00 00 00|"; distance:0; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000116; rev:1;)

Thanks.
YM