File Dropped By EQNEDT32EXE

 1title: File Dropped By EQNEDT32EXE
 2status: experimental
 3description: File dropped by EQNEDT32.EXE(CVE-2017-11882)
 4author: Joe Security
 5date: 2019-10-29
 6id: 200013
 7threatname:
 8behaviorgroup: 25
 9classification: 7
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        Image: '*\EQUATION\EQNEDT32.EXE*'
17        TargetFilename:
18            - '*\\*.exe*'
19            - '*\\*.dll*'
20            - '*\\*.vbs*'
21            - '*\\*.js*'
22            - '*\\*.hta*'
23            - '*\\*.bat*'
24    condition: selection
25level: critical