Rule Library
Sigma Rules
4 rules found for "Cyb3rEng"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
WindowsFile Event
T1204.002 · Malicious FileTA0002 · Execution
Vadim Khrykov (ThreatIntel)+2Mon Aug 23windows
Detectionhightest
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1047 · Windows Management InstrumentationT1204.002 · Malicious File+1
Florian Roth (Nextron Systems)+7Fri Apr 06windows
Detectionhightest
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
WindowsProcess Creation
T1204.002 · Malicious FileT1047 · Windows Management InstrumentationT1218.010 · Regsvr32TA0002 · Execution+1
Vadim Khrykov+1Mon Aug 23windows
Detectionhightest
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense EvasionT1047 · Windows Management InstrumentationT1204.002 · Malicious File+1
Vadim Khrykov (ThreatIntel)+2Mon Aug 23windows