-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathinitial_access_microsoft_office_file_execution_via_script_interpreter.yml
More file actions
39 lines (36 loc) · 1.26 KB
/
initial_access_microsoft_office_file_execution_via_script_interpreter.yml
File metadata and controls
39 lines (36 loc) · 1.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Microsoft Office file execution via script interpreter
id: bf3ea547-1470-4bcc-9945-3b495d962c2c
version: 1.0.3
description: |
Identifies the execution via Windows script interpreter of the executable file written
by the Microsoft Office process.
labels:
tactic.id: TA0001
tactic.name: Initial Access
tactic.ref: https://attack.mitre.org/tactics/TA0001/
technique.id: T1566
technique.name: Phishing
technique.ref: https://attack.mitre.org/techniques/T1566/
subtechnique.id: T1566.001
subtechnique.name: Spearphishing Attachment
subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
condition: >
sequence
maxspan 2m
|create_file and
ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true)
| by file.path
|spawn_process and
ps.parent.name iin script_interpreters and
ps.exe not imatches
(
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe'
)
| by ps.exe
action:
- name: kill
output: >
Microsoft Office process %1.ps.exe wrote the file %1.file.path and subsequently executed it via script interpreter %2.ps.exe
severity: high
min-engine-version: 3.0.0