mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
21 lines
794 B
YAML
21 lines
794 B
YAML
title: Invoke-MalDoc
|
|
description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion
|
|
Indicator built into SentinelOne Agent.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Initial Access
|
|
technique: T1566
|
|
subtechnique: 001
|
|
operating_system: windows
|
|
query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM")
|
|
AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
|
|
In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
|
|
OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
|
|
false_positives:
|
|
- Macro security setting changes
|
|
- Powershell automation of Office docs
|
|
tags:
|
|
|