security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3123 from phantinuss/master

Browse Source 
fix FP and add Follina reference to description
This commit is contained in:
Florian Roth
2022-06-13 22:54:54 +02:00
committed by GitHub
parent 90a12487d4 d382f91313
commit 2a4e6d8ebe
5 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_msdt.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Execute Arbitrary Commands Using MSDT.EXE
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
status: experimental
description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 / Follina exploitation
author: Nasreddine Bencherchali (rule)
references:
- https://twitter.com/nao_sec/status/1530196847679401984
rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: MSDT Executed with Suspicious Parent
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: experimental
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
author: Nextron Systems
references:
- https://twitter.com/nao_sec/status/1530196847679401984
rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: experimental
description: Detects sdiagnhost.exe calling a suspicious child process
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
author: Nextron Systems
references:
- https://twitter.com/nao_sec/status/1530196847679401984
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
+5 -2
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2022/03/26
modified: 2022/06/10
logsource:
category: registry_set
product: windows
@@ -53,10 +53,13 @@ detection:
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
filter_officeclicktorun:
Image|startswith:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_avg:
Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
condition: office and office_details and not 1 of filter_*
fields:
- SecurityID
rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
+4 -1
View File
@@ -7,7 +7,7 @@ references:
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021/01/10
modified: 2022/03/26
modified: 2022/06/10
logsource:
category: registry_set
product: windows
@@ -30,6 +30,9 @@ detection:
- '\winword.exe'
- '\integrator.exe'
- '\OfficeClickToRun.exe'
filter_avg:
Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate Addin Installation