olafhartong/msoffice-fileblock.xml

## msoffice-fileblock.xml
<Sysmon schemaversion="4.82">
   <EventFiltering>
      <RuleGroup name="" groupRelation="or">
         <FileBlockExecutable onmatch="include">
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image>
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image>
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image>
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image>
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image>
		<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image>
         </FileBlockExecutable>
      </RuleGroup>
   </EventFiltering>
</Sysmon>
	<Sysmon schemaversion="4.82">
	<EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<FileBlockExecutable onmatch="include">
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image>
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image>
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image>
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image>
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image>
	<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image>
	</FileBlockExecutable>
	</RuleGroup>
	</EventFiltering>
	</Sysmon>