
Summary
This detection rule identifies suspicious behavior associated with the Microsoft Publisher (MSPUB.EXE) application being used to download arbitrary files over networks using protocols like FTP and HTTP/HTTPS. The detection focuses on both the image execution and command line arguments of the process. Specifically, it monitors for instances where MSPUB.EXE is executed and checks if the command line arguments include any URLs, indicative of file downloads. The purpose of this rule is to help organizations detect potential exploitation attempts through document processing applications, which may be abused for harmful purposes, such as downloading malware or unauthorized content. The combination of process creation logging and network command line detection ensures a robust monitoring mechanism against similar threats.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Network Traffic
Created: 2022-08-19