title: Invoke-MalDoc
description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion
  Indicator built into SentinelOne Agent.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Initial Access
   technique: T1566
   subtechnique: 001
operating_system: windows
query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM")
  AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
  In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
  OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
false_positives: 
   - Macro security setting changes
   - Powershell automation of Office docs
tags: