heroui logo

Visio.exe File Download

Anvilogic Forge

View Source
Summary
This detection rule aims to identify malicious activities involving the use of 'Visio.exe', a legitimate Microsoft application, potentially exploited by threat actors to download unauthorized files. The rule analyzes process creation events (Event Code 4688) especially for the 'visio.exe' process that also includes URLs in the command line parameters. It employs regular expressions to detect instances where 'visio.exe' is used in a way that suggests command-and-control behavior, specifically focusing on patterns indicative of URL engagements that involve file downloads from external sources. The detection is categorized under the command-and-control technique: ingress tool transfer (T1105), facilitating the identification of potentially harmful actions masquerading as normal software behavior.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1105
Created: 2024-02-09