MS Office Template Injection¶
Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents.
id: | bba65411-cf61-4d7c-a9a8-a2021684e9ca |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 02/12/2020 |
updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1221 Template Injection |
Query¶
sequence by unique_pid
[process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")]
[dns where not wildcard(query_name, "*.microsoft.com", "*.skype.com")]
[network where true]