| Rule Name | Description |
| MACRO.18022016.002 | Detects suspicious child process execution spawned by WINWORD.EXE. Microsoft Word is frequently abused by malicious macros, embedded objects, and phishing documents to launch malware, scripts, ransomware loaders, and LOLBins. This rule blocks any unauthorized child process created by WINWORD.EXE regardless of execution location to prevent malicious document-based attacks and post-exploitation activity.MITRE ATT&CK IDs: – T1204.002 Malicious File — User opens malicious document – T1566.001 Spearphishing Attachment — Malicious Office attachments – T1059 Command and Scripting Interpreter — Script or command execution – T1218 System Binary Proxy Execution — LOLBin abuse from Office – T1064 Malicious Macro — VBA macro execution (legacy ATT&CK mapping) |
| BLKC.C.PS-ENC.251121 | Detects suspicious execution of powershell.exe using obfuscated or Base64-encoded command parameters such as -e, -enc, or -EncodedCommand. The rule identifies potentially malicious parent-child process chains commonly used in fileless attacks, malware delivery, LOLBin abuse, and ransomware activity. Upon detection, the engine terminates the PowerShell process, optionally kills or renames the suspicious parent process if not present in the trusted allowlist, and prevents further malicious execution.This is highly associated with: – Fileless malware – LOLBins – Phishing payloads – Initial access scripts – Ransomware launchers – C2 download cradles – Primary MITRE ATT&CK IDs for this rule: – T1059.001 PowerShell — PowerShell execution – T1027 Obfuscated Files or Information — Encoded/obfuscated commands Additional related techniques: – T1204 User Execution — Malicious document or user-triggered execution – T1218 System Binary Proxy Execution — LOLBin abuse if launched from trusted binaries |
| NPLOCK.RANSOM.170416 | Detects and blocks execution of applications launched from suspicious roaming profile locations such as %AppData%\Roaming. Malware commonly abuses roaming paths to store and execute payloads for persistence, evasion, and user-level execution. The rule terminates unauthorized processes initiated from roaming directories to prevent malware execution, credential theft, ransomware activity, and fileless attack chains.MITRE ATT&CK IDs : – T1547 Registry Run Keys / Startup Folder — Persistence from user-writable paths – T1036 Masquerading — Malware disguised as legitimate applications – T1204 User Execution — User-triggered malicious execution – T1105 Ingress Tool Transfer — Payloads downloaded into roaming directories – T1059 Command and Scripting Interpreter — Script-based malware execution from roaming paths |
| BLKPC.MSHTA.170226 | Detects suspicious execution of mshta.exe with malicious command-line patterns such as remote URLs (http, https), embedded PowerShell, or VBScript execution. Attackers commonly abuse mshta.exe as a LOLBin to execute remote payloads, launch fileless malware, bypass application controls, and establish persistence. MITRE ATT&CK IDs: – T1218.005 Mshta — Signed Binary Proxy Execution via mshta.exe – T1059 PowerShell — PowerShell execution – T1059.005 Visual Basic — VBScript execution – T1105 Ingress Tool Transfer — Remote payload retrieval – T1027 Obfuscated Files or Information — Obfuscated/scripted execution – T1204 User Execution — User-triggered malicious content execution |
| BLKPC.CRUEL.160720 | Behaviour rules related to misuse of Certificate Utility Certutil.exe to download and launch malware |
| BLKPC.SUSP_WIN_WMI.201123 | This is a behavioural rule. It will terminate application when Winword.exe or excel.exe launches unwanted applications. |
