From 4bb2beeb15f31398a67afb0e6c615b5b9419d322 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 8 Feb 2023 19:36:55 +0100 Subject: [PATCH] fix: duplicate ids and small updates --- .../file_event_win_office_outlook_macro_creation.yml | 3 +++ .../file_event_win_office_outlook_susp_macro_creation.yml | 5 ++++- ...e_event_win_office_publisher_files_in_susp_locations.yml | 2 +- ...y_set_office_outlook_enable_unsafe_client_mail_rules.yml | 2 +- ...ew.yml => registry_set_persistence_outlook_homepage.yml} | 4 ++-- ...e.yml => registry_set_persistence_outlook_todaypage.yml} | 6 +++--- 6 files changed, 14 insertions(+), 8 deletions(-) rename rules/windows/registry/registry_set/{registry_set_outlook_registry_webview.yml => registry_set_persistence_outlook_homepage.yml} (88%) rename rules/windows/registry/registry_set/{registry_set_outlook_registry_todaypage.yml => registry_set_persistence_outlook_todaypage.yml} (78%) diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml index 1cd292970..6ae6bf491 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -1,5 +1,8 @@ title: New Outlook Macro Created id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +related: + - id: 117d3d3a-755c-4a61-b23e-9171146d094c + type: derived status: test description: Detects the creation of a macro file for Outlook. references: diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 91c78628b..80c349fe7 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -1,5 +1,8 @@ title: Suspicious Outlook Macro Created -id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +id: 117d3d3a-755c-4a61-b23e-9171146d094c +related: + - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 + type: derived status: test description: Detects the creation of a macro file for Outlook. references: diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 1c254294a..9be3ad795 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -1,5 +1,5 @@ title: Publisher Attachment File Dropped In Suspicious Location -id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 +id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 status: experimental description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents references: diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index ef58331b6..4b5173361 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,5 +1,5 @@ title: Outlook Security EnableUnsafeClientMailRules Value Was Enabled -id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd +id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 related: - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a type: similar diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml similarity index 88% rename from rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml rename to rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 281654ef9..9ffc83fd2 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -1,7 +1,7 @@ -title: Persistent Outlook Landing Pages +title: Potential Persistence Via Outlook Home Page id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 status: experimental -description: Detects the manipulation of persistent URLs which can be malicious +description: Detects potential persistence activity via outlook home pages. references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml similarity index 78% rename from rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml rename to rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 082c62334..ba2325e30 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,9 +1,9 @@ -title: Persistent Outlook Landing Today Pages +title: Potential Persistence Via Outlook Today Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 status: experimental -description: Detects the manipulation of persistent URLs which could execute malicious code +description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". references: - - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 author: Tobias Michalski (Nextron Systems) date: 2021/06/10 modified: 2023/02/08