From 92c2976793b92e2ee4f562e2ead9158ecba17420 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 13 Jun 2022 13:26:17 +0200 Subject: [PATCH 1/2] docs: add Follina reference in description --- rules/windows/process_creation/proc_creation_win_msdt.yml | 2 +- .../process_creation/proc_creation_win_msdt_susp_parent.yml | 2 +- .../proc_creation_win_sdiagnhost_susp_child.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index 9eb580e3e..2989d7932 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -1,7 +1,7 @@ title: Execute Arbitrary Commands Using MSDT.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 status: experimental -description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 +description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 / Follina exploitation author: Nasreddine Bencherchali (rule) references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index f014392af..2f9db68c3 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,7 +1,7 @@ title: MSDT Executed with Suspicious Parent id: 7a74da6b-ea76-47db-92cc-874ad90df734 status: experimental -description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 +description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index 4aead43f5..5cc19de91 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -1,7 +1,7 @@ title: Sdiagnhost Calling Suspicious Child Process id: f3d39c45-de1a-4486-a687-ab126124f744 status: experimental -description: Detects sdiagnhost.exe calling a suspicious child process +description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 From d382f91313dfa1896b7c0fa05e261ecf9ccfbd5b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 13 Jun 2022 13:26:41 +0200 Subject: [PATCH 2/2] fix: FP with AVG anti virus --- .../registry_set_asep_reg_keys_modification_office.yml | 7 +++++-- .../registry_set/registry_set_office_vsto_persistence.yml | 5 ++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 0ccfbc260..dc54aaaae 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -53,10 +53,13 @@ detection: - '\Outlook\Addins\UCAddin.UCAddin.1' - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\' filter_officeclicktorun: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: office and office_details and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml index 9f2d1fe8a..d3c9a0508 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021/01/10 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -30,6 +30,9 @@ detection: - '\winword.exe' - '\integrator.exe' - '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: selection and not 1 of filter_* falsepositives: - Legitimate Addin Installation