Detects the process injection of a LittleCorporal generated Maldoc.

Read More

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Read More

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More

Detects suspicious and uncommon child processes of WmiPrvSE

Read More

Detects the creation of files with an executable or script extension by an Office application.

Read More

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Read More

Detects a suspicious process spawning from an Outlook process.

Read More

Detects a remote DLL load event via "rundll32.exe".

Read More

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Read More

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Read More

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Read More

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Read More

Detects specific process characteristics of Maze ransomware word document droppers

Read More

Detects download of certain file types from hosts in suspicious TLDs

Read More

Detects executable downloads from suspicious remote systems

Read More

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Read More

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Read More

Detects Kerberos DLL being loaded by an Office Product

Read More

Detects DSParse DLL being loaded by an Office Product

Read More

Detects CLR DLL being loaded by an Office Product

Read More

Detects any assembly DLL being loaded by an Office Product

Read More

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Read More

Detects any GAC DLL being loaded by an Office Product

Read More

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

Read More

Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.

Read More

Detects a flashplayer update from an unofficial location

Read More

Detects Ursnif C2 traffic.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Read More

Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.

Read More

Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.

Read More