Detects download of certain file types from hosts in suspicious TLDs
Detects executable downloads from suspicious remote systems
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Detects suspicious and uncommon child processes of WmiPrvSE
Detects Kerberos DLL being loaded by an Office Product
Detects DSParse DLL being loaded by an Office Product
Detects CLR DLL being loaded by an Office Product
Detects any assembly DLL being loaded by an Office Product
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Detects any GAC DLL being loaded by an Office Product
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Detects a suspicious process spawning from an Outlook process.
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Detects a flashplayer update from an unofficial location
Detects the process injection of a LittleCorporal generated Maldoc.
Detects Ursnif C2 traffic.
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.