Techniques
Sample rules
Office Macro File Download
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects the creation of a new office macro files on the systems via an application (browser, mail client).
Detection logic
condition: all of selection_*
selection_ext:
- TargetFilename|endswith:
- .docm
- .dotm
- .xlsm
- .xltm
- .potm
- .pptm
- TargetFilename|contains:
- .docm:Zone
- .dotm:Zone
- .xlsm:Zone
- .xltm:Zone
- .potm:Zone
- .pptm:Zone
selection_processes:
Image|endswith:
- \RuntimeBroker.exe
- \outlook.exe
- \thunderbird.exe
- \brave.exe
- \chrome.exe
- \firefox.exe
- \iexplore.exe
- \maxthon.exe
- \MicrosoftEdge.exe
- \msedge.exe
- \msedgewebview2.exe
- \opera.exe
- \safari.exe
- \seamonkey.exe
- \vivaldi.exe
- \whale.exe