I'm working on an alert that will trigger if a user opens a Word Doc using the Dynamic Data Exchange exploit that launches from a command prompt. I've turned command line auditing on my workstation and I've been testing the events as they occur. As one can imagine, winword.exe launches and soon after cmd.exe launches (I'm not worried about PowerShell). I think I'm on the right track with the SPL but I'm missing a piece. I'd appreciate some help with this.
winword.exe OR cmd.exe | transaction "winword.exe" "cmd.exe" maxspan=30s
↧