Product

Word

3 briefs RSS

XSL Script Execution via COM Interface in Microsoft Office

Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.

Microsoft Office +3 xsl-script com-interface office-macro

2r 5t Jan 26, 2024

low advisory

Suspicious Image Load (taskschd.dll) from MS Office

2 rules 2 TTPs

Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.

Word +4 persistence execution windows image_load scheduled_task

2r 2t Jan 3, 2024

low advisory

Suspicious Command Prompt Network Connection

2 rules 4 TTPs

This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.

Elastic Defend +7 command-prompt network-connection windows execution command-and-control

2r 4t Jan 2, 2024