diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index 4148840e1..7beac7d1c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -1,12 +1,12 @@ -title: Executable in ADS +title: Hidden Executable In NTFS Alternate Data Stream id: b69888d4-380c-45ce-9cf9-d9ce46e67821 status: test -description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) +description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash) references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 author: Florian Roth (Nextron Systems), @0xrawsec date: 2018/06/03 -modified: 2022/12/30 +modified: 2023/02/10 tags: - attack.defense_evasion - attack.s0139 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml similarity index 83% rename from rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml rename to rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index bb0e9d37a..37db2b043 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -1,5 +1,8 @@ -title: Suspicious File Download from File Sharing Domain +title: Suspicious File Download From File Sharing Websites id: 52182dfb-afb7-41db-b4bc-5336cb29b464 +related: + - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 + type: similar status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: @@ -7,7 +10,7 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth (Nextron Systems) date: 2022/08/24 -modified: 2023/01/19 +modified: 2023/02/09 tags: - attack.defense_evasion - attack.s0139 @@ -44,7 +47,13 @@ detection: TargetFilename|contains: - '.exe:Zone' - '.vbs:Zone' + - '.vbe:Zone' - '.dll:Zone' + - '.one:Zone' + - '.hta:Zone' + - '.lnk:Zone' + - '.xll:Zone' + - '.cpl:Zone' condition: all of selection* fields: - TargetFilename diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml similarity index 89% rename from rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml rename to rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 275c5143a..3996600ca 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -1,5 +1,8 @@ -title: Unusual File Download from File Sharing Domain +title: Unusual File Download From File Sharing Websites id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 +related: + - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 + type: similar status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: @@ -7,7 +10,7 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth (Nextron Systems) date: 2022/08/24 -modified: 2023/01/19 +modified: 2023/02/10 tags: - attack.defense_evasion - attack.s0139 @@ -44,6 +47,7 @@ detection: TargetFilename|contains: - '.ps1:Zone' - '.bat:Zone' + - '.cmd:Zone' condition: all of selection* fields: - TargetFilename diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index 697fabe2c..d0597644a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -4,9 +4,10 @@ status: experimental description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md -author: Nasreddine Bencherchali (Nextron Systems), Florian Roth + - https://labs.withsecure.com/publications/detecting-onenote-abuse +author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) date: 2022/09/07 -modified: 2022/12/05 +modified: 2023/02/10 tags: - attack.defense_evasion - attack.t1564.004 @@ -23,6 +24,11 @@ detection: - '.vbe:Zone' - '.vbs:Zone' - '.dll:Zone' + - '.one:Zone' + - '.cmd:Zone' + - '.hta:Zone' + - '.xll:Zone' + - '.lnk:Zone' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index f8cacac22..c1c538d1c 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -1,12 +1,13 @@ title: OneNote Attachment File Dropped In Suspicious Location id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 status: experimental -description: Detects creation of files with the ".one" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments +description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 +modified: 2023/02/10 tags: - attack.defense_evasion logsource: @@ -19,8 +20,10 @@ detection: - '\Users\Public\' - '\Windows\Temp\' - 'C:\Temp\' - TargetFilename|endswith: '.one' + TargetFilename|endswith: + - '.one' + - '.onepkg' condition: selection falsepositives: - - Legitimate usage of ".one" files from those locations + - Legitimate usage of ".one" or ".onepkg" files from those locations level: medium diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml new file mode 100644 index 000000000..d3e5b4cc2 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -0,0 +1,42 @@ +title: Suspicious File Created Via OneNote Application +id: fcc6d700-68d9-4241-9a1a-06874d621b06 +status: experimental +description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild +references: + - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ + - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ + - https://twitter.com/MaD_c4t/status/1623414582382567424 + - https://labs.withsecure.com/publications/detecting-onenote-abuse + - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/09 +tags: + - attack.defense_evasion +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\onenote.exe' + - '\onenotem.exe' + - '\onenoteim.exe' + TargetFilename|contains|all: + - '\AppData\Local\Temp\OneNote\' + - '\Exported\' + TargetFilename|endswith: + # TODO: Add more suspicious extensions + - '.bat' + - '.cmd' + - '.exe' + - '.hta' + - '.htm' + - '.html' + - '.lnk' + - '.ps1' + - '.vbe' + - '.vbs' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml index a267fecca..ae3d55035 100644 --- a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -18,6 +18,8 @@ detection: Image|endswith: - '\excel.exe' - '\mspub.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' diff --git a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml index 3d5d198d1..6d658af65 100644 --- a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -19,6 +19,8 @@ detection: - '\excel.exe' - '\mspub.exe' - '\outlook.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\powerpnt.exe' - '\winword.exe' ImageLoaded|contains: '\clr.dll' diff --git a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml index a876cd356..609e80c54 100644 --- a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -18,6 +18,8 @@ detection: Image|endswith: - '\excel.exe' - '\mspub.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' diff --git a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml index c6da8451f..397d04f64 100644 --- a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -18,6 +18,8 @@ detection: Image|endswith: - '\excel.exe' - '\mspub.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' diff --git a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml index ba08e4c8e..3e52db8ea 100644 --- a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -18,6 +18,8 @@ detection: Image|endswith: - '\excel.exe' - '\mspub.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' diff --git a/rules/windows/image_load/image_load_office_outlook_outlvba.yml b/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml similarity index 100% rename from rules/windows/image_load/image_load_office_outlook_outlvba.yml rename to rules/windows/image_load/image_load_office_outlook_outlvba_load.yml diff --git a/rules/windows/image_load/image_load_office_vbadll_load.yml b/rules/windows/image_load/image_load_office_vbadll_load.yml index de67e93a7..79f9f7a33 100644 --- a/rules/windows/image_load/image_load_office_vbadll_load.yml +++ b/rules/windows/image_load/image_load_office_vbadll_load.yml @@ -6,7 +6,7 @@ references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020/02/19 -modified: 2023/02/08 +modified: 2023/02/10 tags: - attack.execution - attack.t1204.002 @@ -18,6 +18,8 @@ detection: Image|endswith: - '\excel.exe' - '\mspub.exe' + - '\onenote.exe' + - '\onenoteim.exe' # Just in case - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 82cc52d49..0201d955f 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -8,9 +8,9 @@ description: Detects suspicious child processes of the Microsoft OneNote applica references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 -author: Tim Rauch (rule), Elastic (idea) +author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022/10/21 -modified: 2023/02/09 +modified: 2023/02/10 tags: - attack.t1566 - attack.t1566.001 @@ -21,66 +21,78 @@ logsource: detection: selection_parent: ParentImage|endswith: '\onenote.exe' - selection_opt_name: + selection_opt_img: - OriginalFileName: - - 'RUNDLL32.exe' - - 'REGSVR32.exe' - 'bitsadmin.exe' + - 'CertOC.exe' - 'CertUtil.exe' - - 'InstallUtil.exe' - - 'schtasks.exe' - - 'wmic.exe' - - 'cscript.exe' - - 'wscript.exe' + - 'Cmd.Exe' - 'CMSTP.EXE' + - 'cscript.exe' + - 'curl.exe' + - 'HH.exe' + - 'IEExec.exe' + - 'InstallUtil.exe' + - 'javaw.exe' - 'Microsoft.Workflow.Compiler.exe' + - 'msdt.exe' + - 'MSHTA.EXE' + - 'msiexec.exe' + - 'Msxsl.exe' + - 'odbcconf.exe' + - 'pcalua.exe' + - 'PowerShell.EXE' - 'RegAsm.exe' - 'RegSvcs.exe' - - 'MSHTA.EXE' - - 'Msxsl.exe' - - 'IEExec.exe' - - 'Cmd.Exe' - - 'PowerShell.EXE' - - 'HH.exe' - - 'javaw.exe' - - 'pcalua.exe' - - 'curl.exe' + - 'REGSVR32.exe' + - 'RUNDLL32.exe' + - 'schtasks.exe' - 'ScriptRunner.exe' - - 'CertOC.exe' + - 'wmic.exe' - 'WorkFolders.exe' - - 'odbcconf.exe' - - 'msiexec.exe' - - 'msdt.exe' + - 'wscript.exe' - Image|endswith: - - '\rundll32.exe' - - '\regsvr32.exe' + - '\AppVLP.exe' + - '\bash.exe' - '\bitsadmin.exe' + - '\certoc.exe' - '\certutil.exe' - - '\installutil.exe' - - '\schtasks.exe' - - '\wmic.exe' - - '\cscript.exe' - - '\wscript.exe' + - '\cmd.exe' - '\cmstp.exe' + - '\control.exe' + - '\cscript.exe' + - '\curl.exe' + - '\forfiles.exe' + - '\hh.exe' + - '\ieexec.exe' + - '\installutil.exe' + - '\javaw.exe' + - '\mftrace.exe' - '\Microsoft.Workflow.Compiler.exe' + - '\msbuild.exe' + - '\msdt.exe' + - '\mshta.exe' + - '\msidb.exe' + - '\msiexec.exe' + - '\msxsl.exe' + - '\odbcconf.exe' + - '\pcalua.exe' + - '\powershell.exe' + - '\pwsh.exe' - '\regasm.exe' - '\regsvcs.exe' - - '\mshta.exe' - - '\msxsl.exe' - - '\ieexec.exe' - - '\cmd.exe' - - '\powershell.exe' - - '\hh.exe' - - '\javaw.exe' - - '\pcalua.exe' - - '\curl.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\schtasks.exe' + - '\scrcons.exe' - '\scriptrunner.exe' - - '\certoc.exe' + - '\sh.exe' + - '\svchost.exe' + - '\verclsid.exe' + - '\wmic.exe' - '\workfolders.exe' - - '\odbcconf.exe' - - '\msiexec.exe' - - '\msdt.exe' - selection_opt_exp: + - '\wscript.exe' + selection_opt_explorer: Image|endswith: '\explorer.exe' CommandLine|contains: - '.hta' @@ -92,7 +104,7 @@ detection: - '.pif' - '.bat' - '.cmd' - selection_opt_img: + selection_opt_paths: Image|contains: - '\AppData\' - '\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml new file mode 100644 index 000000000..1b47fe697 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -0,0 +1,28 @@ +title: Outlook EnableUnsafeClientMailRules Setting Enabled +id: 55f0a3a1-846e-40eb-8273-677371b8d912 +related: + - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation + type: similar +status: test +description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +references: + - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 + - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 +author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +date: 2018/12/27 +modified: 2023/02/09 +tags: + - attack.execution + - attack.t1059 + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_outlook_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_outlook_susp_child_processes.yml rename to rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index d754d929e..f7c267d6f 100644 --- a/rules/windows/process_creation/proc_creation_win_outlook_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -1,7 +1,9 @@ title: Suspicious Outlook Child Process id: 208748f7-881d-47ac-a29c-07ea84bf691d related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 + - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes + type: derived + - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process type: derived status: test description: Detects a suspicious process spawning from an Outlook process. diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml new file mode 100644 index 000000000..331db5961 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -0,0 +1,29 @@ +title: Suspicious Remote Child Process From Outlook +id: e212d415-0e93-435f-9e1a-f29005bb4723 +related: + - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes + type: similar +status: test +description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). +references: + - https://github.com/sensepost/ruler + - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49 +author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +date: 2018/12/27 +modified: 2023/02/09 +tags: + - attack.execution + - attack.t1059 + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\outlook.exe' + Image|startswith: '\\\\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml index 9ebca6d31..772e53506 100644 --- a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -22,9 +22,12 @@ references: - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set + - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io date: 2018/04/06 -modified: 2023/02/04 +modified: 2023/02/10 tags: - attack.defense_evasion - attack.execution @@ -35,7 +38,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection_parent: ParentImage|endswith: - '\EQNEDT32.EXE' - '\EXCEL.EXE' @@ -47,36 +50,78 @@ detection: - '\WINWORD.EXE' - '\wordpad.exe' - '\wordview.exe' - Image|endswith: + selection_img: + - OriginalFileName: + - 'bitsadmin.exe' + - 'CertOC.exe' + - 'CertUtil.exe' + - 'Cmd.Exe' + - 'CMSTP.EXE' + - 'cscript.exe' + - 'curl.exe' + - 'HH.exe' + - 'IEExec.exe' + - 'InstallUtil.exe' + - 'javaw.exe' + - 'Microsoft.Workflow.Compiler.exe' + - 'msdt.exe' + - 'MSHTA.EXE' + - 'msiexec.exe' + - 'Msxsl.exe' + - 'odbcconf.exe' + - 'pcalua.exe' + - 'PowerShell.EXE' + - 'RegAsm.exe' + - 'RegSvcs.exe' + - 'REGSVR32.exe' + - 'RUNDLL32.exe' + - 'schtasks.exe' + - 'ScriptRunner.exe' + - 'wmic.exe' + - 'WorkFolders.exe' + - 'wscript.exe' + - Image|endswith: + - '\AppVLP.exe' + - '\bash.exe' + - '\bitsadmin.exe' + - '\certoc.exe' + - '\certutil.exe' - '\cmd.exe' + - '\cmstp.exe' + - '\control.exe' + - '\cscript.exe' + - '\curl.exe' + - '\forfiles.exe' + - '\hh.exe' + - '\ieexec.exe' + - '\installutil.exe' + - '\javaw.exe' + - '\mftrace.exe' + - '\Microsoft.Workflow.Compiler.exe' + - '\msbuild.exe' + - '\msdt.exe' + - '\mshta.exe' + - '\msidb.exe' + - '\msiexec.exe' + - '\msxsl.exe' + - '\odbcconf.exe' + - '\pcalua.exe' - '\powershell.exe' - '\pwsh.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\scrcons.exe' - - '\schtasks.exe' + - '\regasm.exe' + - '\regsvcs.exe' - '\regsvr32.exe' - - '\hh.exe' - - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '\mshta.exe' - '\rundll32.exe' - - '\msiexec.exe' - - '\forfiles.exe' + - '\schtasks.exe' + - '\scrcons.exe' - '\scriptrunner.exe' - - '\mftrace.exe' - - '\AppVLP.exe' - - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + - '\sh.exe' + - '\svchost.exe' - '\verclsid.exe' - - '\msdt.exe' - - '\control.exe' - - '\msidb.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine + - '\wmic.exe' + - '\workfolders.exe' + - '\wscript.exe' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml b/rules/windows/process_creation/proc_creation_win_susp_outlook.yml deleted file mode 100644 index 595c7fd93..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious Execution from Outlook -id: e212d415-0e93-435f-9e1a-f29005bb4723 -status: test -description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook -references: - - https://github.com/sensepost/ruler - - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html -author: Markus Neis -date: 2018/12/27 -modified: 2022/01/07 -tags: - - attack.execution - - attack.t1059 - - attack.t1202 -logsource: - category: process_creation - product: windows -detection: - clientMailRules: - CommandLine|contains: 'EnableUnsafeClientMailRules' - outlookExec: - ParentImage|endswith: '\outlook.exe' - CommandLine|contains|all: - - '\\\\' - - '\\' - - '.exe' - condition: clientMailRules or outlookExec -falsepositives: - - Unknown -level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index f690da2ae..257597d58 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,8 +1,10 @@ -title: Outlook Security EnableUnsafeClientMailRules Setting Enabled +title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 related: - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a type: similar + - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation + type: similar status: experimental description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: @@ -10,6 +12,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/08 +modified: 2023/02/09 tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml index 5a174e8c0..77ce07a27 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -1,7 +1,7 @@ title: Outlook Security Settings Updated - Registry id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd # EnableUnsafeClientMailRules type: similar status: test description: Detects changes to the registry values related to outlook security settings diff --git a/tests/test_rules.py b/tests/test_rules.py index a169832b0..cadd92658 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -391,11 +391,15 @@ class TestRules(unittest.TestCase): Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) faulty_rules.append(file) else: - # should probably test if we have only 'id' and 'type' ... type_ok = True for ref in related_lst: - id_str = ref['id'] - type_str = ref['type'] + try: + id_str = ref['id'] + type_str = ref['type'] + except KeyError: + print(Fore.YELLOW + "Rule {} has an invalid form of 'related/type' value.".format(file)) + faulty_rules.append(file) + continue if not type_str in valid_type: type_ok = False # Only add one time if many bad type in the same file