Matt BromileyIt's Day 11 of #100DaysofLC, and today's detection draws from some threat intelligence from Proofpoint, found here: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week They report on a multi-step attack from TA422; I focused on the LNK and DOCX files created on disk. We can utilize LimaCharlie's NEW_DOCUMENT to monitor these files and pivot on a common keyword.
I used the keyword "SEDE-PV-2023". This might be legitimate, but the extensions should help with the rule fidelity.
