attack.t1204.002

Download From Suspicious TLD - Blacklist
May 18, 2023 · attack.initial_access attack.t1566 attack.execution attack.t1203 attack.t1204.002 ·
Share on:
Detects download of certain file types from hosts in suspicious TLDs

Read More
Download From Suspicious TLD - Whitelist
May 18, 2023 · attack.initial_access attack.t1566 attack.execution attack.t1203 attack.t1204.002 ·
Share on:
Detects executable downloads from suspicious remote systems

Read More
Microsoft Excel Add-In Loaded From Uncommon Location
May 15, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Read More
Suspicious Microsoft Office Child Process
Apr 24, 2023 · attack.defense_evasion attack.execution attack.t1047 attack.t1204.002 attack.t1218.010 ·
Share on:
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Read More
Suspicious WmiPrvSE Child Process
Apr 4, 2023 · attack.execution attack.defense_evasion attack.t1047 attack.t1204.002 attack.t1218.010 ·
Share on:
Detects suspicious and uncommon child processes of WmiPrvSE

Read More
Active Directory Kerberos DLL Loaded Via Office Application
Apr 3, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects Kerberos DLL being loaded by an Office Product

Read More
Active Directory Parsing DLL Loaded Via Office Application
Apr 3, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects DSParse DLL being loaded by an Office Product

Read More
CLR DLL Loaded Via Office Applications
Apr 3, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects CLR DLL being loaded by an Office Product

Read More
DotNET Assembly DLL Loaded Via Office Application
Apr 3, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects any assembly DLL being loaded by an Office Product

Read More
Suspicious WMIC Execution Via Office Process
Feb 14, 2023 · attack.t1204.002 attack.t1047 attack.t1218.010 attack.execution attack.defense_evasion ·
Share on:
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Read More
GAC DLL Loaded Via Office Applications
Feb 9, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects any GAC DLL being loaded by an Office Product

Read More
Microsoft VBA For Outlook Addin Loaded Via Outlook
Feb 9, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

Read More
VBA DLL Loaded Via Office Application
Feb 9, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.

Read More
Suspicious Outlook Child Process
Feb 9, 2023 · attack.execution attack.t1204.002 ·
Share on:
Detects a suspicious process spawning from an Outlook process.

Read More
New Application in AppCompat
Feb 7, 2023 · attack.execution attack.t1204.002 ·
Share on:
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Read More
Suspicious Binary In User Directory Spawned From Office Application
Feb 6, 2023 · attack.execution attack.t1204.002 attack.g0046 car.2013-05-002 ·
Share on:
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Read More
Suspicious Microsoft Office Child Process - MacOS
Feb 4, 2023 · attack.execution attack.persistence attack.t1059.002 attack.t1137.002 attack.t1204.002 ·
Share on:
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More
Flash Player Update from Suspicious Location
Feb 1, 2023 · attack.initial_access attack.t1189 attack.execution attack.t1204.002 attack.defense_evasion attack.t1036.005 ·
Share on:
Detects a flashplayer update from an unofficial location

Read More
LittleCorporal Generated Maldoc Injection
Feb 1, 2023 · attack.execution attack.t1204.002 attack.t1055.003 ·
Share on:
Detects the process injection of a LittleCorporal generated Maldoc.

Read More
Ursnif Malware C2 URL Pattern
Jan 31, 2023 · attack.initial_access attack.t1566.001 attack.execution attack.t1204.002 attack.command_and_control attack.t1071.001 ·
Share on:
Detects Ursnif C2 traffic.

Read More
Created Files by Office Applications
Oct 26, 2022 · attack.t1204.002 attack.execution ·
Share on:
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Read More
File Was Not Allowed To Run
Oct 25, 2022 · attack.execution attack.t1204.002 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.006 attack.t1059.007 ·
Share on:
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Read More