Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/suspicious office child http cache

Created June 2, 2022 21:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Samirbous/0d8ff96646edc7b69ef3be49633098e8 to your computer and use it in GitHub Desktop.
Save Samirbous/0d8ff96646edc7b69ef3be49633098e8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
suspicious office child http cache
sequence with maxspan=30s
[registry where process.name : "winword.exe" and
registry.path : "HKEY_USERS\\*\\Software\\Microsoft\\Office\\*\\Common\\Internet\\Server Cache\\https*"] by process.entity_id
[file where event.action == "creation" and
file.path : "?:\\Users\\*\\AppData\\*\\Content.MSO\\*" and process.name : "winword.exe" and
file.extension : "htm*" and file.size >= 4096] by process.entity_id
[process where event.action == "start" and process.parent.name : "winword.exe" and
not process.name : ("splwow64.exe", "DWWIN.EXE", "WerFault.exe")] by process.parent.entity_id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment