
Summary
This rule aims to detect the injection of remote document templates into Office documents and archives, a method often used in malware distribution. By recursively scanning these files, the rule checks for specific indicators of compromise (IoCs) that align with known remote template attack patterns. The detection logic includes examining files with common Office extensions, as well as certain archive formats, and looks for the presence of "text/xml" mime type typically associated with Office documents. The search is particularly focused on identifying URLs that suggest a remote template is being loaded through the use of a regular expression that targets patterns like 'http' within a defined distance from the word 'Target' in the document. This makes it a valuable rule for identifying potentially malicious documents that leverage remote resources to execute harmful payloads.
Categories
- Endpoint
- Windows
- macOS
- Application
Data Sources
- File
- Process
- Network Traffic
Created: 2023-05-04