FalconFriday — Catching more macros — 0xFF0A

Post-Image

FalconFriday — Catching more macros — 0xFF0A

In this year’s final FalconFriday we revisit the possibly most loved and hated feature of both attackers and defenders: MS Office macros. We’ll provide 2 hunts for macros that are downloaded using the browser and are spawning child processes. As a Christmas bonus, we have some ideas for you to enhance those queries even further.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-catching-more-macros-0xff0a-ec8273ab115a

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday