auto-generated queries from markdown notes

queries/windows/malicious_documents.yml

@@ -0,0 +1,18 @@
+title: Malicious Documents
+description: The tests for this technique overlap heavily with T1566.001 Spearphishing
+  Attachment due to similar download and macro detections, so here we're focusing
+  on detecting Office applications launching processes.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1204
+   subtechnique: 002
+operating_system: windows
+query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
+  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
+  OR IndicatorName = "SuspiciousDocument"
+false_positives: Legit docs with macros.
+tags: null
+