diff --git a/rules/windows/file_event/file_event_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml similarity index 84% rename from rules/windows/file_event/file_event_ripzip_attack.yml rename to rules/windows/file_event/file_event_win_ripzip_attack.yml index 1904a63da..7f71a7886 100644 --- a/rules/windows/file_event/file_event_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) date: 2022/07/21 +modified: 2022/07/25 tags: - attack.t1547 - attack.persistence @@ -13,11 +14,10 @@ logsource: category: file_event product: windows detection: - selection1: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk + selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk TargetFileName|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' - selection2: Image|endswith: '\explorer.exe' - condition: all of selection* + condition: selection level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml index 8339a6588..49497b6e8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml @@ -1,12 +1,19 @@ title: Winword LOLBIN Usage id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed +related: + - id: 2621b3a6-3840-4810-ac14-a02426086171 + type: obsoletes +related: status: experimental -description: Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs -author: Nasreddine Bencherchali +description: | + Detects Winword process loading custmom dlls via the '/l' switch. + Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs. +author: Nasreddine Bencherchali, Victor Sergeev, oscd.community references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py date: 2022/05/17 +modified: 2022/07/25 logsource: category: process_creation product: windows @@ -14,15 +21,16 @@ detection: selection_img: - Image|endswith: '\WINWORD.exe' - OriginalFileName: 'WinWord.exe' - selection_cli_http: - CommandLine|contains: - - 'http://' - - 'https://' - selection_cli_dll: + selection_susp: CommandLine|contains: - '/l ' - '.dll' - condition: selection_img and 1 of selection_cli* + - 'http://' + - 'https://' + condition: all of selection_* falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1202 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_winword_dll_load.yml b/rules/windows/process_creation/proc_creation_win_winword_dll_load.yml deleted file mode 100644 index 1a6f2ce4f..000000000 --- a/rules/windows/process_creation/proc_creation_win_winword_dll_load.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Winword.exe Loads Suspicious DLL -id: 2621b3a6-3840-4810-ac14-a02426086171 -status: test -description: Detects Winword.exe loading of custmom dll via /l cmd switch -author: Victor Sergeev, oscd.community -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ -date: 2020/10/09 -modified: 2022/07/11 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\winword.exe' - CommandLine|contains: '/l' - condition: selection -fields: - - CommandLine -falsepositives: - - Unknown -level: medium -tags: - - attack.defense_evasion - - attack.t1202