mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
@
23 lines
1.1 KiB
YAML
23 lines
1.1 KiB
YAML
title: Invoke-MalDoc
|
|
description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
|
|
Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
|
|
should only be used for threat hunting, but it will detect Macro security settings
|
|
changes to the registry for Word and Excel as well as detecting COM objects within
|
|
ComandLine and CommandScript indicator objects. There may be a lot of results, focus
|
|
on Indicators and Command Scripts objects as they'll have less false positives.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: null
|
|
mitre:
|
|
tactic: Initial Access
|
|
technique: T1566
|
|
subtechnique: 001
|
|
operating_system: windows
|
|
query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM")
|
|
AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
|
|
In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
|
|
OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
|
|
false_positives: null
|
|
tags: null
|
|
|