Equation Editor Network Connection
Detects network connections from Equation Editor
Sigma rule (View on GitHub)
1title: Equation Editor Network Connection
2id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
3status: test
4description: Detects network connections from Equation Editor
5references:
6 - https://twitter.com/forensicitguy/status/1513538712986079238
7 - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
8author: Max Altgelt (Nextron Systems)
9date: 2022/04/14
10tags:
11 - attack.execution
12 - attack.t1203
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\eqnedt32.exe'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
Related rules
- Suspicious Browser Child Process - MacOS
- Download From Suspicious TLD - Whitelist
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- CVE-2021-26858 Exchange Exploitation
- OMIGOD HTTP No Authentication RCE