Cleaned up signature descriptions and metadata.

queries/windows/invoke-maldoc.yml

@@ -1,13 +1,9 @@
 title: Invoke-MalDoc
-description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
-  Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
-  should only be used for threat hunting, but it will detect Macro security settings
-  changes to the registry for Word and Excel as well as detecting COM objects within
-  ComandLine and CommandScript indicator objects. There may be a lot of results, focus
-  on Indicators and Command Scripts objects as they'll have less false positives.
+description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion
+  Indicator built into SentinelOne Agent.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
    tactic: Initial Access
    technique: T1566
@@ -17,6 +13,8 @@ query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\Acc
   AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
   In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
   OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
-false_positives: null
-tags: null
+false_positives: 
+   - Macro security setting changes
+   - Powershell automation of Office docs
+tags: