Skip to content

Latest commit

 

History

History
39 lines (32 loc) · 1.76 KB

MATCH-S00400.md

File metadata and controls

39 lines (32 loc) · 1.76 KB

Rules: Web Download via Office Binaries

Description

Detects downloaded payloads from remote server.

Additional Details

Detail Value
Type Templated Match
Category Command and Control
Apply Risk to Entities device_hostname, device_ip, user_username
Signal Name Web Download via Office Binaries
Summary Expression Office process: {{baseImage}} has executed a remote download
Score/Severity Static: 1
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0043, _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1566, _mitreAttackTechnique:T1566.001, _mitreAttackTechnique:T1566.002, _mitreAttackTechnique:T1566.003, _mitreAttackTechnique:T1598, _mitreAttackTechnique:T1598.001, _mitreAttackTechnique:T1598.002, _mitreAttackTechnique:T1598.003, _mitreAttackTechnique:T1036, _mitreAttackTechnique:T1036.004, _mitreAttackTechnique:T1036.005

Vendors and Products

Fields Used

Origin Field
Normalized Schema baseImage
Normalized Schema commandLine
Normalized Schema device_hostname
Normalized Schema device_ip
Normalized Schema user_username