Update 900000-exclusion_rules.xml

2025-10-23 08:12:16 +00:00 · 2025-06-11 18:27:36 -05:00
parent ff0129d229
commit 9ea52b133c
1 changed files with 10 additions and 0 deletions
--- a/Rules/900000-exclusion_rules.xml
+++ b/Rules/900000-exclusion_rules.xml
@@ -825,4 +825,14 @@
    <description>Lower Defender Platform LSASS.</description>
    <options>no_full_log</options>
  </rule>
+  <rule id="900116" level="10">
+    <if_sid>92156</if_sid>
+    <field name="win.eventdata.image" type="pcre2">(?i)(winword|excel|powerpnt)\.EXE</field>
+    <field name="win.eventdata.originalFileName" type="pcre2">(?i)VBEUI.DLL</field>
+    <options>no_full_log</options>
+    <description>Office application loaded vbeui.dll module. May be used to execute scripting code</description>
+    <mitre>
+      <id>T1059.005</id>
+    </mitre>
+  </rule>
 </group>