Samirbous/dir traversal office

## dir traversal office
process where event.type in ("start", "process_started") and
  process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and

  /* u can add other dir traversal patterns here */
  process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and
  process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe")
	process where event.type in ("start", "process_started") and
	process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and

	/* u can add other dir traversal patterns here */
	process.command_line : ("../../../..", "..\\..\\..\\..", "..//..//..//..") and
	process.executable : ("?:\\windows\\system32\\.exe", "?:\\Windows\\SysWOW64\\.exe")