security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4027 from nasbench/nasbench-rule-devel

Browse Source 
feat: updates and enhancements
This commit is contained in:
Nasreddine Bencherchali
2023-02-10 10:59:14 +01:00
committed by GitHub
parent 677ae061c5 1d89b041ae
commit 095b41370f
22 changed files with 293 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml
+3 -3
View File
@@ -1,12 +1,12 @@
title: Executable in ADS
title: Hidden Executable In NTFS Alternate Data Stream
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: test
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
author: Florian Roth (Nextron Systems), @0xrawsec
date: 2018/06/03
modified: 2022/12/30
modified: 2023/02/10
tags:
- attack.defense_evasion
- attack.s0139
rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml → rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
+11 -2
View File
@@ -1,5 +1,8 @@
title: Suspicious File Download from File Sharing Domain
title: Suspicious File Download From File Sharing Websites
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
status: experimental
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
@@ -7,7 +10,7 @@ references:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
author: Florian Roth (Nextron Systems)
date: 2022/08/24
modified: 2023/01/19
modified: 2023/02/09
tags:
- attack.defense_evasion
- attack.s0139
@@ -44,7 +47,13 @@ detection:
TargetFilename|contains:
- '.exe:Zone'
- '.vbs:Zone'
- '.vbe:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.xll:Zone'
- '.cpl:Zone'
condition: all of selection*
fields:
- TargetFilename
rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml → rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
+6 -2
View File
@@ -1,5 +1,8 @@
title: Unusual File Download from File Sharing Domain
title: Unusual File Download From File Sharing Websites
id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
related:
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
status: experimental
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
@@ -7,7 +10,7 @@ references:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
author: Florian Roth (Nextron Systems)
date: 2022/08/24
modified: 2023/01/19
modified: 2023/02/10
tags:
- attack.defense_evasion
- attack.s0139
@@ -44,6 +47,7 @@ detection:
TargetFilename|contains:
- '.ps1:Zone'
- '.bat:Zone'
- '.cmd:Zone'
condition: all of selection*
fields:
- TargetFilename
rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml
+8 -2
View File
@@ -4,9 +4,10 @@ status: experimental
description: Detects the download of suspicious file type from URLs with IP
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth
- https://labs.withsecure.com/publications/detecting-onenote-abuse
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022/09/07
modified: 2022/12/05
modified: 2023/02/10
tags:
- attack.defense_evasion
- attack.t1564.004
@@ -23,6 +24,11 @@ detection:
- '.vbe:Zone'
- '.vbs:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.cmd:Zone'
- '.hta:Zone'
- '.xll:Zone'
- '.lnk:Zone'
condition: selection
falsepositives:
- Unknown
rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml
+6 -3
View File
@@ -1,12 +1,13 @@
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: experimental
description: Detects creation of files with the ".one" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/22
modified: 2023/02/10
tags:
- attack.defense_evasion
logsource:
@@ -19,8 +20,10 @@ detection:
- '\Users\Public\'
- '\Windows\Temp\'
- 'C:\Temp\'
TargetFilename|endswith: '.one'
TargetFilename|endswith:
- '.one'
- '.onepkg'
condition: selection
falsepositives:
- Legitimate usage of ".one" files from those locations
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium
rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml
+42
View File
@@ -0,0 +1,42 @@
title: Suspicious File Created Via OneNote Application
id: fcc6d700-68d9-4241-9a1a-06874d621b06
status: experimental
description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/MaD_c4t/status/1623414582382567424
- https://labs.withsecure.com/publications/detecting-onenote-abuse
- https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/02/09
tags:
- attack.defense_evasion
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\onenote.exe'
- '\onenotem.exe'
- '\onenoteim.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\OneNote\'
- '\Exported\'
TargetFilename|endswith:
# TODO: Add more suspicious extensions
- '.bat'
- '.cmd'
- '.exe'
- '.hta'
- '.htm'
- '.html'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -18,6 +18,8 @@ detection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -19,6 +19,8 @@ detection:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains: '\clr.dll'
rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -18,6 +18,8 @@ detection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
rules/windows/image_load/image_load_office_dsparse_dll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -18,6 +18,8 @@ detection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
rules/windows/image_load/image_load_office_kerberos_dll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -18,6 +18,8 @@ detection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
rules/windows/image_load/image_load_office_outlook_outlvba.yml → rules/windows/image_load/image_load_office_outlook_outlvba_load.yml
View File
rules/windows/image_load/image_load_office_vbadll_load.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
modified: 2023/02/08
modified: 2023/02/10
tags:
- attack.execution
- attack.t1204.002
@@ -18,6 +18,8 @@ detection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml
+57 -45
View File
@@ -8,9 +8,9 @@ description: Detects suspicious child processes of the Microsoft OneNote applica
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
- https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
author: Tim Rauch (rule), Elastic (idea)
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022/10/21
modified: 2023/02/09
modified: 2023/02/10
tags:
- attack.t1566
- attack.t1566.001
@@ -21,66 +21,78 @@ logsource:
detection:
selection_parent:
ParentImage|endswith: '\onenote.exe'
selection_opt_name:
selection_opt_img:
- OriginalFileName:
- 'RUNDLL32.exe'
- 'REGSVR32.exe'
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'InstallUtil.exe'
- 'schtasks.exe'
- 'wmic.exe'
- 'cscript.exe'
- 'wscript.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'MSHTA.EXE'
- 'Msxsl.exe'
- 'IEExec.exe'
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'HH.exe'
- 'javaw.exe'
- 'pcalua.exe'
- 'curl.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'CertOC.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'odbcconf.exe'
- 'msiexec.exe'
- 'msdt.exe'
- 'wscript.exe'
- Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\installutil.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\mshta.exe'
- '\msxsl.exe'
- '\ieexec.exe'
- '\cmd.exe'
- '\powershell.exe'
- '\hh.exe'
- '\javaw.exe'
- '\pcalua.exe'
- '\curl.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\certoc.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\odbcconf.exe'
- '\msiexec.exe'
- '\msdt.exe'
selection_opt_exp:
- '\wscript.exe'
selection_opt_explorer:
Image|endswith: '\explorer.exe'
CommandLine|contains:
- '.hta'
@@ -92,7 +104,7 @@ detection:
- '.pif'
- '.bat'
- '.cmd'
selection_opt_img:
selection_opt_paths:
Image|contains:
- '\AppData\'
- '\Users\Public\'
rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
+28
View File
@@ -0,0 +1,28 @@
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018/12/27
modified: 2023/02/09
tags:
- attack.execution
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_outlook_susp_child_processes.yml → rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml
+3 -1
View File
@@ -1,7 +1,9 @@
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
type: derived
- id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml
+29
View File
@@ -0,0 +1,29 @@
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
- id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018/12/27
modified: 2023/02/09
tags:
- attack.execution
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\outlook.exe'
Image|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml
+70 -25
View File
@@ -22,9 +22,12 @@ references:
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
- https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2018/04/06
modified: 2023/02/04
modified: 2023/02/10
tags:
- attack.defense_evasion
- attack.execution
@@ -35,7 +38,7 @@ logsource:
category: process_creation
product: windows
detection:
selection:
selection_parent:
ParentImage|endswith:
- '\EQNEDT32.EXE'
- '\EXCEL.EXE'
@@ -47,36 +50,78 @@ detection:
- '\WINWORD.EXE'
- '\wordpad.exe'
- '\wordview.exe'
Image|endswith:
selection_img:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\scrcons.exe'
- '\schtasks.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\msdt.exe'
- '\control.exe'
- '\msidb.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_susp_outlook.yml
-30
View File
@@ -1,30 +0,0 @@
title: Suspicious Execution from Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
status: test
description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
author: Markus Neis
date: 2018/12/27
modified: 2022/01/07
tags:
- attack.execution
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
clientMailRules:
CommandLine|contains: 'EnableUnsafeClientMailRules'
outlookExec:
ParentImage|endswith: '\outlook.exe'
CommandLine|contains|all:
- '\\\\'
- '\\'
- '.exe'
condition: clientMailRules or outlookExec
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml
+4 -1
View File
@@ -1,8 +1,10 @@
title: Outlook Security EnableUnsafeClientMailRules Setting Enabled
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
- id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
type: similar
- id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
type: similar
status: experimental
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
@@ -10,6 +12,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/02/08
modified: 2023/02/09
tags:
- attack.defense_evasion
- attack.t1112
rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
- id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
- id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd # EnableUnsafeClientMailRules
type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
tests/test_rules.py
+7 -3
View File
@@ -391,11 +391,15 @@ class TestRules(unittest.TestCase):
Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file))
faulty_rules.append(file)
else:
# should probably test if we have only 'id' and 'type' ...
type_ok = True
for ref in related_lst:
id_str = ref['id']
type_str = ref['type']
try:
id_str = ref['id']
type_str = ref['type']
except KeyError:
print(Fore.YELLOW + "Rule {} has an invalid form of 'related/type' value.".format(file))
faulty_rules.append(file)
continue
if not type_str in valid_type:
type_ok = False
# Only add one time if many bad type in the same file