SigmaHQ/wazuh/rules/sigma_win_office_shell.yml

alert:
- debug
description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
filter:
- query:
    query_string:
      query: (data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\scrcons.exe OR *\\schtasks.exe OR *\\regsvr32.exe OR *\\hh.exe OR *\\wmic.exe OR *\\mshta.exe OR *\\rundll32.exe OR *\\msiexec.exe OR *\\forfiles.exe OR *\\scriptrunner.exe OR *\\mftrace.exe OR *\\AppVLP.exe OR *\\svchost.exe))
index: wazuh-alerts-3.x-*
name: 438025f9-5856-4663-83f7-52f878a70a50_0
priority: 2
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio`
			`filter:`
			`- query:`
			`query_string:`
			query: (data.win.eventdata.parentImage.keyword:(\\WINWORD.EXE OR \\EXCEL.EXE OR \\POWERPNT.exe OR \\MSPUB.exe OR \\VISIO.exe OR \\OUTLOOK.EXE) AND data.win.eventdata.image.keyword:(\\cmd.exe OR \\powershell.exe OR \\wscript.exe OR \\cscript.exe OR \\sh.exe OR \\bash.exe OR \\scrcons.exe OR \\schtasks.exe OR \\regsvr32.exe OR \\hh.exe OR \\wmic.exe OR \\mshta.exe OR \\rundll32.exe OR \\msiexec.exe OR \\forfiles.exe OR \\scriptrunner.exe OR \\mftrace.exe OR \\AppVLP.exe OR *\\svchost.exe))
			`index: wazuh-alerts-3.x-*`
			`name: 438025f9-5856-4663-83f7-52f878a70a50_0`
			`priority: 2`
			`realert:`
			`minutes: 0`
			`type: any`