SigmaHQ · nasbench · Oct 6, 2024 · Sep 18, 2024 · Oct 6, 2024 · Oct 6, 2024
diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
@@ -1,11 +1,14 @@
-title: Suspicious Office Token Search Via CLI
+title: Potentially Suspicious Office Token Search Via CLI
 id: 6d3a3952-6530-44a3-8554-cf17c116c615
 status: test
-description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
+description: |
+    Detects possible search for office tokens via CLI by looking for the string "eyJ0eX".
+    This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
 references:
     - https://mrd0x.com/stealing-tokens-from-office-applications/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-10-25
+modified: 2024-10-06
 tags:
     - attack.credential-access
     - attack.t1528
@@ -16,9 +19,13 @@ detection:
     selection:
         CommandLine|contains:
             - 'eyJ0eXAiOi' # {"typ":
+            - 'eyJhbGciOi' # {"alg":
             - ' eyJ0eX'
             - ' "eyJ0eX"'
             - " 'eyJ0eX'"
+            - ' eyJhbG'
+            - ' "eyJhbG"'
+            - " 'eyJhbG'"
     condition: selection
 falsepositives:
     - Unknown