mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
21 lines
754 B
YAML
21 lines
754 B
YAML
title: Malicious Documents
|
|
description: Detect high risk processes spawned from Office applications. Complementary to T1566.001 Spearphishing
|
|
Attachment due to similar download and macro detections.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Execution
|
|
technique: T1204
|
|
subtechnique: 002
|
|
operating_system: windows
|
|
query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
|
|
In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
|
|
OR IndicatorName = "SuspiciousDocument"
|
|
false_positives:
|
|
- Legit docs with macros.
|
|
- McAfee DLP hits on links opened from docs.
|
|
- Office plugins opening sites within browsers.
|
|
tags:
|
|
|