Skip to content

Hide Navigation Hide TOC

Potentially Suspicious Office Document Executed From Trusted Location (f99abdf0-6283-4e71-bd2b-b5c048a94743)

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Cluster A Galaxy A Cluster B Galaxy B Level
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern Potentially Suspicious Office Document Executed From Trusted Location (f99abdf0-6283-4e71-bd2b-b5c048a94743) Sigma-Rules 1