LoFP / very common in environments that rely heavily on macro documents

Techniques

• t1566
• t1566.001

Sample rules

Office Macro File Creation

• source: sigma
• technicques:
  • t1566
  • t1566.001

Description

Detects the creation of a new office macro files on the systems

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - .docm
  - .dotm
  - .xlsm
  - .xltm
  - .potm
  - .pptm