Office product drops executable at suspicious location

 1title: Office product drops executable at suspicious location
 2status: experimental
 3description: Office product drops executable at suspicious location
 4author: Joe Security
 5date: 2020-01-30
 6id: 200046
 7threatname:
 8behaviorgroup: 1
 9classification: 7
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        Image: 
17            - '*\Microsoft Office*\Office*\WINWORD.EXE*'
18            - '*\Microsoft Office*\Office*\EXCEL.EXE*'
19        TargetFilename:
20            - '*\Documents\\*.exe*'
21            - '*\Documents\\*.dll*'
22            - '*\Documents\\*.scr*'
23    condition: selection
24level: critical