From c32e0b27a5fa4590c86e4d79bda067132ad34e64 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Tue, 7 Jun 2022 14:01:22 +0100
Subject: [PATCH] feat: new rule for persistence using Office startup

---
 .../file_event_win_word_template_creation.yml | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_word_template_creation.yml

diff --git a/rules/windows/file_event/file_event_win_word_template_creation.yml b/rules/windows/file_event/file_event_win_word_template_creation.yml
new file mode 100644
index 000000000..a94a226da
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_word_template_creation.yml
@@ -0,0 +1,41 @@
+title: Office Template Creation
+id: 0e20c89d-2264-44ae-8238-aeeaba609ece
+status: experimental
+description: Detects creation of template files for Microsoft Office from outside Office
+author: Max Altgelt
+date: 2022/06/02
+references:
+   - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
+tags:
+   - attack.persistence
+   - attack.t1137
+logsource:
+   category: file_event
+   product: windows
+detection:
+   selection_word:
+      TargetFilename|endswith:
+         - .dot
+         - .dotm
+         - .doc
+         - .docm
+         - .docx
+         - .rtf
+      TargetFilename|contains: '\Microsoft\Word\Startup'
+   selection_excel:
+      TargetFilename|endswith:
+         - .xlt
+         - .xltm
+         - .xls
+         - .xlsm
+         - .xlsx
+      TargetFilename|contains: '\Microsoft\Excel\Startup'
+   filter_office:
+      Image|endswith:
+         - \WINWORD.exe
+         - \EXCEL.exe
+   condition: 1 of selection* and not filter_office
+falsepositives:
+    - Loading a user environment from a backup or a domain controller
+    - Synchronization of templates
+level: high