security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives

Browse Source 
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-10-17 07:57:13 +05:45
committed by GitHub
parent ff558d8561
commit c3b0256d71
14 changed files with 93 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/image_load_office_dsparse_dll_load.yml → deprecated/windows/image_load_office_dsparse_dll_load.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: Active Directory Parsing DLL Loaded Via Office Application
id: a2a3b925-7bb0-433b-b508-db9003263cc4
status: test
status: deprecated # In the AD Environment, dsparse.dll is loaded everytime an Office application is launched, so this rule is not useful.
description: Detects DSParse DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-28
modified: 2025-10-17
tags:
- attack.execution
- attack.t1204.002
rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- Internal Research
author: Samir Bousseaden, @neu5ron
date: 2020-04-02
modified: 2021-11-27
modified: 2025-10-17
tags:
- attack.collection
logsource:
@@ -28,7 +28,7 @@ detection:
- '.bak'
- '.dmp'
- '.kirbi'
- '\groups.xml'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
- '.rdp'
condition: selection
falsepositives:
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
+2 -1
View File
@@ -9,7 +9,7 @@ references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-10-07
modified: 2025-10-17
tags:
- attack.defense-evasion
logsource:
@@ -35,6 +35,7 @@ detection:
- 'https://statics.teams.cdn.office.net/'
- 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
- 'https://installer.teams.static.microsoft/'
- 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
filter_optional_onedrive:
Path|contains: 'AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- Internal Research
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-10-09
modified: 2025-10-17
tags:
- attack.collection
- attack.t1039
@@ -31,7 +31,7 @@ detection:
- '.ost'
- '.pst'
- '.rdp'
- '\groups.xml'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or backup software
rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml
+10 -4
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2023-06-22
modified: 2025-10-17
tags:
- attack.t1204.002
- attack.execution
@@ -42,6 +42,9 @@ detection:
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
TargetFilename|contains|all:
- 'C:\Users\'
@@ -54,9 +57,12 @@ detection:
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\BackstageInAppNavCache\'
TargetFilename|endswith: '.com'
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
+6 -3
View File
@@ -10,7 +10,7 @@ references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-10-07
modified: 2025-10-17
tags:
- attack.persistence
- attack.t1547.001
@@ -20,10 +20,13 @@ logsource:
detection:
selection:
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
filter_update:
filter_main_update:
- Image: 'C:\Windows\System32\wuauclt.exe'
- TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
condition: selection and not filter_update
filter_optional_onenote:
Image|endswith: '\ONENOTE.EXE'
TargetFilename|endswith: '\Send to OneNote.lnk'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium
rules/windows/image_load/image_load_dll_vssapi_susp_load.yml
+3 -1
View File
@@ -11,7 +11,7 @@ references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022-10-31
modified: 2025-10-07
modified: 2025-10-17
tags:
- attack.defense-evasion
- attack.impact
@@ -36,6 +36,8 @@ detection:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_null_image:
Image: null
filter_optional_programdata_packagecache:
# The following filter is required because of many FPs cause by:
# C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
+3 -1
View File
@@ -11,7 +11,7 @@ references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2025-10-07
modified: 2025-10-17
tags:
- attack.defense-evasion
- attack.impact
@@ -32,6 +32,8 @@ detection:
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE
filter_main_null_image:
Image: null # Observed through Aurora
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
rules/windows/image_load/image_load_wsman_provider_image_load.yml
+10 -5
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-02-26
modified: 2025-10-17
tags:
- attack.execution
- attack.t1059.001
@@ -32,10 +32,15 @@ detection:
Image|endswith: '\svchost.exe'
OriginalFileName: 'WsmWmiPl.dll'
filter_general:
Image|endswith:
- '\powershell.exe'
Image:
- 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
- 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\6\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\services.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
filter_svchost: # not available in Sysmon data, but Aurora logs
CommandLine|contains:
- 'svchost.exe -k netsvcs -p -s BITS'
@@ -57,10 +62,10 @@ detection:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
filter_citrix:
Image|startswith: 'C:\Program Files\Citrix\'
filter_ps_ise:
Image|endswith: '\powershell_ise.exe'
filter_upgrade:
Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
filter_mmc:
Image|endswith: '\mmc.exe'
svchost:
Image|endswith: '\svchost.exe'
commandline_null:
rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml
+33 -4
View File
@@ -10,7 +10,7 @@ references:
- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-06
modified: 2025-10-17
tags:
- attack.execution
- attack.t1203
@@ -38,15 +38,22 @@ detection:
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange_generic:
DestinationIp|cidr:
- '2.16.56.0/23' # Akamai International B.V.
- '2.17.248.0/21' # Akamai International B.V.
- '13.107.240.0/21' # Microsoft Corporation
- '20.184.0.0/13' # Microsoft Corporation
- '23.61.224.0/20' # Akamai-AS
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '23.3.88.0/22' # Akamai-AS
- '23.216.132.0/22' # Akamai-AS
- '40.76.0.0/14' # Microsoft Corporation
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
- '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
- '95.101.96.0/21' # Akamai-As
- '204.79.197.0/24' # Microsoft Corporation
filter_main_msrange_exchange_1:
# Exchange Online
@@ -184,12 +191,14 @@ detection:
# "urls": [
# "*.officeapps.live.com",
# "*.online.office.com",
# "office.live.com"
# "office.live.com",
# "office.com.akadns.net"
# ],
DestinationIp|cidr:
- '13.107.6.171/32'
- '13.107.18.15/32'
- '13.107.140.6/32'
- '20.64.0.0/10'
- '52.108.0.0/14'
- '52.244.37.168/32'
- '2603:1006:1400::/40'
@@ -225,6 +234,7 @@ detection:
# "becws.microsoftonline.com",
# "ccs.login.microsoftonline.com",
# "clientconfig.microsoftonline-p.net",
# "cloudapp.azure.com",
# "companymanager.microsoftonline.com",
# "device.login.microsoftonline.com",
# "graph.microsoft.com",
@@ -238,13 +248,17 @@ detection:
# "loginex.microsoftonline.com",
# "nexus.microsoftonline-p.com",
# "passwordreset.microsoftonline.com",
# "provisioningapi.microsoftonline.com"
# "provisioningapi.microsoftonline.com",
# "web.core.windows.net",
# ]
DestinationIp|cidr:
- '172.128.0.0/10'
- '20.20.32.0/19'
- '20.103.156.88/32' # msn.com
- '20.190.128.0/18'
- '20.231.128.0/19'
- '40.126.0.0/18'
- '57.150.0.0/15'
- '2603:1006:2000::/48'
- '2603:1007:200::/48'
- '2603:1016:1400::/48'
@@ -265,21 +279,36 @@ detection:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.compliance.microsoft.com",
# "*.data.microsoft.com",
# "*.protection.office.com",
# "*.security.microsoft.com",
# "compliance.microsoft.com",
# "defender.microsoft.com",
# "protection.office.com",
# "security.microsoft.com"
# "security.microsoft.com",
# "teams.microsoft.com",
# ]
DestinationIp|cidr:
- '13.64.0.0/11'
- '13.107.6.192/32'
- '13.107.9.192/32'
- '13.89.179.14/32'
- '20.40.0.0/14'
- '20.48.0.0/12'
- '20.64.0.0/12'
- '52.123.0.0/16'
- '52.108.0.0/14'
- '52.136.0.0/13'
- '57.150.0.0/15'
- '80.239.150.67/32' # Arelion Sweden AB
- '2620:1ec:4::192/128'
- '2620:1ec:a92::192/128'
DestinationPort: 443
Protocol: 'tcp'
filter_main_destination_host:
DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
DestinationPort: 443
Protocol: 'tcp'
condition: selection and not 1 of filter_main_*
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml
+3 -1
View File
@@ -6,7 +6,7 @@ references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2024-07-02
modified: 2025-10-17
tags:
- attack.defense-evasion
- attack.command-and-control
@@ -27,8 +27,10 @@ detection:
- 53 # DNS
- 80 # HTTP
- 139 # NETBIOS
- 389 # LDAP
- 443 # HTTPS
- 445 # SMB
- 3268 # MSFT-GC
filter_main_outlook_ports:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
+2 -1
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
date: 2019-06-17
modified: 2025-07-04
modified: 2025-10-17
tags:
- attack.defense-evasion
- attack.t1055
@@ -21,6 +21,7 @@ detection:
filter_main_explorer:
- Image|endswith: '\explorer.exe'
- OriginalFileName: 'explorer.exe'
- CommandLine: 'C:\Windows\Explorer.EXE'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
+13 -7
View File
@@ -12,7 +12,7 @@ references:
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-07
modified: 2025-10-17
tags:
- attack.persistence
- attack.t1547.001
@@ -44,7 +44,7 @@ detection:
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_main_all:
filter_main_generic_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
@@ -55,8 +55,11 @@ detection:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
@@ -73,11 +76,6 @@ detection:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_main_teams:
@@ -129,6 +127,14 @@ detection:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart'
filter_optional_AVG_setup:
Image|contains:
- 'C:\Program Files\AVG\Antivirus\Setup\'
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
+2 -1
View File
@@ -11,7 +11,7 @@ references:
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-07
modified: 2025-10-17
tags:
- attack.persistence
- attack.t1547.001
@@ -62,6 +62,7 @@ detection:
- '\Outlook\Addins\UCAddin.LyncAddin.1'
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
- 'AddinTakeNotesService\FriendlyName'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'