valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_office_shell.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
834 B
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
filter:
- query:
query_string:
query: (data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\scrcons.exe OR *\\schtasks.exe OR *\\regsvr32.exe OR *\\hh.exe OR *\\wmic.exe OR *\\mshta.exe OR *\\rundll32.exe OR *\\msiexec.exe OR *\\forfiles.exe OR *\\scriptrunner.exe OR *\\mftrace.exe OR *\\AppVLP.exe OR *\\svchost.exe))
index: wazuh-alerts-3.x-*
name: 438025f9-5856-4663-83f7-52f878a70a50_0
priority: 2
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink