security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: duplicate ids and small updates

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-02-08 19:36:55 +01:00
parent 4d1bd7663b
commit 4bb2beeb15
6 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml
+3
View File
@@ -1,5 +1,8 @@
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml
+4 -1
View File
@@ -1,5 +1,8 @@
title: Suspicious Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: Publisher Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: experimental
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: Outlook Security EnableUnsafeClientMailRules Value Was Enabled
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
- id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
type: similar
rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml → rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml
+2 -2
View File
@@ -1,7 +1,7 @@
title: Persistent Outlook Landing Pages
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
status: experimental
description: Detects the manipulation of persistent URLs which can be malicious
description: Detects potential persistence activity via outlook home pages.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml → rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml
+3 -3
View File
@@ -1,9 +1,9 @@
title: Persistent Outlook Landing Today Pages
title: Potential Persistence Via Outlook Today Pages
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
status: experimental
description: Detects the manipulation of persistent URLs which could execute malicious code
description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
author: Tobias Michalski (Nextron Systems)
date: 2021/06/10
modified: 2023/02/08