Merge pull request #3105 from secDre4mer/master
feat: new rule for persistence using Office startup
This commit is contained in:
Florian Roth
@@ -0,0 +1,41 @@
|
||||
title: Office Template Creation
|
||||
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
|
||||
status: experimental
|
||||
description: Detects creation of template files for Microsoft Office from outside Office
|
||||
author: Max Altgelt
|
||||
date: 2022/06/02
|
||||
references:
|
||||
- https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1137
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
detection:
|
||||
selection_word:
|
||||
TargetFilename|endswith:
|
||||
- .dot
|
||||
- .dotm
|
||||
- .doc
|
||||
- .docm
|
||||
- .docx
|
||||
- .rtf
|
||||
TargetFilename|contains: '\Microsoft\Word\Startup'
|
||||
selection_excel:
|
||||
TargetFilename|endswith:
|
||||
- .xlt
|
||||
- .xltm
|
||||
- .xls
|
||||
- .xlsm
|
||||
- .xlsx
|
||||
TargetFilename|contains: '\Microsoft\Excel\Startup'
|
||||
filter_office:
|
||||
Image|endswith:
|
||||
- \WINWORD.exe
|
||||
- \EXCEL.exe
|
||||
condition: 1 of selection* and not filter_office
|
||||
falsepositives:
|
||||
- Loading a user environment from a backup or a domain controller
|
||||
- Synchronization of templates
|
||||
level: high
|
||||
Reference in New Issue
Block a user