diff --git a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml b/deprecated/windows/image_load_office_dsparse_dll_load.yml similarity index 83% rename from rules/windows/image_load/image_load_office_dsparse_dll_load.yml rename to deprecated/windows/image_load_office_dsparse_dll_load.yml index de679c38d..a6693d093 100644 --- a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml +++ b/deprecated/windows/image_load_office_dsparse_dll_load.yml @@ -1,12 +1,12 @@ title: Active Directory Parsing DLL Loaded Via Office Application id: a2a3b925-7bb0-433b-b508-db9003263cc4 -status: test +status: deprecated # In the AD Environment, dsparse.dll is loaded everytime an Office application is launched, so this rule is not useful. description: Detects DSParse DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb date: 2020-02-19 -modified: 2023-03-28 +modified: 2025-10-17 tags: - attack.execution - attack.t1204.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 32096ef46..158d89012 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -9,7 +9,7 @@ references: - Internal Research author: Samir Bousseaden, @neu5ron date: 2020-04-02 -modified: 2021-11-27 +modified: 2025-10-17 tags: - attack.collection logsource: @@ -28,7 +28,7 @@ detection: - '.bak' - '.dmp' - '.kirbi' - - '\groups.xml' + # - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments - '.rdp' condition: selection falsepositives: diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index f66cca979..ffcc52394 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2025-10-07 +modified: 2025-10-17 tags: - attack.defense-evasion logsource: @@ -35,6 +35,7 @@ detection: - 'https://statics.teams.cdn.office.net/' - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 - 'https://installer.teams.static.microsoft/' + - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix filter_optional_onedrive: Path|contains: 'AppData\Local\Microsoft\OneDrive\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml index c5df4fceb..61f35fbc7 100644 --- a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -9,7 +9,7 @@ references: - Internal Research author: Samir Bousseaden date: 2019-04-03 -modified: 2022-10-09 +modified: 2025-10-17 tags: - attack.collection - attack.t1039 @@ -31,7 +31,7 @@ detection: - '.ost' - '.pst' - '.rdp' - - '\groups.xml' + # - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments condition: selection falsepositives: - Help Desk operator doing backup or re-imaging end user machine or backup software diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 26c7fcbbc..4ad1bc316 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -7,7 +7,7 @@ references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) date: 2021-08-23 -modified: 2023-06-22 +modified: 2025-10-17 tags: - attack.t1204.002 - attack.execution @@ -42,6 +42,9 @@ detection: - '.vbs' - '.wsf' - '.wsh' + filter_main_localassembly: + TargetFilename|contains: '\AppData\Local\assembly\tmp\' + TargetFilename|endswith: '.dll' filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com TargetFilename|contains|all: - 'C:\Users\' @@ -54,9 +57,12 @@ detection: TargetFilename|endswith: - '.dll' - '.exe' - filter_main_localassembly: - TargetFilename|contains: '\AppData\Local\assembly\tmp\' - TargetFilename|endswith: '.dll' + filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com + TargetFilename|contains|all: + - 'C:\Users\' + - '\AppData\Local\Microsoft\Office\' + - '\BackstageInAppNavCache\' + TargetFilename|endswith: '.com' condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index b7a31674b..962fd859a 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -10,7 +10,7 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2022-10-07 +modified: 2025-10-17 tags: - attack.persistence - attack.t1547.001 @@ -20,10 +20,13 @@ logsource: detection: selection: TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp' - filter_update: + filter_main_update: - Image: 'C:\Windows\System32\wuauclt.exe' - TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\' - condition: selection and not filter_update + filter_optional_onenote: + Image|endswith: '\ONENOTE.EXE' + TargetFilename|endswith: '\Send to OneNote.lnk' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate level: medium diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 5276352bc..d286fad96 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -11,7 +11,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2022-10-31 -modified: 2025-10-07 +modified: 2025-10-17 tags: - attack.defense-evasion - attack.impact @@ -36,6 +36,8 @@ detection: Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + filter_main_null_image: + Image: null filter_optional_programdata_packagecache: # The following filter is required because of many FPs cause by: # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 1cf10eb90..ee8bdd4f0 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -11,7 +11,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2023-02-17 -modified: 2025-10-07 +modified: 2025-10-17 tags: - attack.defense-evasion - attack.impact @@ -32,6 +32,8 @@ detection: - 'C:\Windows\Temp\{' # Installers - 'C:\Windows\WinSxS\' - 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE + filter_main_null_image: + Image: null # Observed through Aurora filter_main_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index c2ae1db4b..2da3aadad 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -9,7 +9,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-24 -modified: 2025-02-26 +modified: 2025-10-17 tags: - attack.execution - attack.t1059.001 @@ -32,10 +32,15 @@ detection: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' filter_general: - Image|endswith: - - '\powershell.exe' + Image: + - 'C:\Program Files (x86)\PowerShell\6\pwsh.exe' + - 'C:\Program Files (x86)\PowerShell\7\pwsh.exe' + - 'C:\Program Files\PowerShell\6\pwsh.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' - 'C:\Windows\System32\sdiagnhost.exe' - 'C:\Windows\System32\services.exe' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' filter_svchost: # not available in Sysmon data, but Aurora logs CommandLine|contains: - 'svchost.exe -k netsvcs -p -s BITS' @@ -57,10 +62,10 @@ detection: Image|startswith: 'C:\Windows\Temp\asgard2-agent\' filter_citrix: Image|startswith: 'C:\Program Files\Citrix\' - filter_ps_ise: - Image|endswith: '\powershell_ise.exe' filter_upgrade: Image|startswith: 'C:\$WINDOWS.~BT\Sources\' + filter_mmc: + Image|endswith: '\mmc.exe' svchost: Image|endswith: '\svchost.exe' commandline_null: diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml index 48b2f5e1f..8ba778e0c 100644 --- a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2021-11-10 -modified: 2025-10-06 +modified: 2025-10-17 tags: - attack.execution - attack.t1203 @@ -38,15 +38,22 @@ detection: - 'fc00::/7' # IPv6 private addresses filter_main_msrange_generic: DestinationIp|cidr: + - '2.16.56.0/23' # Akamai International B.V. + - '2.17.248.0/21' # Akamai International B.V. + - '13.107.240.0/21' # Microsoft Corporation - '20.184.0.0/13' # Microsoft Corporation + - '23.61.224.0/20' # Akamai-AS - '20.192.0.0/10' # Microsoft Corporation - '23.72.0.0/13' # Akamai International B.V. + - '23.3.88.0/22' # Akamai-AS + - '23.216.132.0/22' # Akamai-AS - '40.76.0.0/14' # Microsoft Corporation - '51.10.0.0/15' # Microsoft Corporation - '51.103.0.0/16' # Microsoft Corporation - '51.104.0.0/15' # Microsoft Corporation - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22 - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11 + - '95.101.96.0/21' # Akamai-As - '204.79.197.0/24' # Microsoft Corporation filter_main_msrange_exchange_1: # Exchange Online @@ -184,12 +191,14 @@ detection: # "urls": [ # "*.officeapps.live.com", # "*.online.office.com", - # "office.live.com" + # "office.live.com", + # "office.com.akadns.net" # ], DestinationIp|cidr: - '13.107.6.171/32' - '13.107.18.15/32' - '13.107.140.6/32' + - '20.64.0.0/10' - '52.108.0.0/14' - '52.244.37.168/32' - '2603:1006:1400::/40' @@ -225,6 +234,7 @@ detection: # "becws.microsoftonline.com", # "ccs.login.microsoftonline.com", # "clientconfig.microsoftonline-p.net", + # "cloudapp.azure.com", # "companymanager.microsoftonline.com", # "device.login.microsoftonline.com", # "graph.microsoft.com", @@ -238,13 +248,17 @@ detection: # "loginex.microsoftonline.com", # "nexus.microsoftonline-p.com", # "passwordreset.microsoftonline.com", - # "provisioningapi.microsoftonline.com" + # "provisioningapi.microsoftonline.com", + # "web.core.windows.net", # ] DestinationIp|cidr: + - '172.128.0.0/10' - '20.20.32.0/19' + - '20.103.156.88/32' # msn.com - '20.190.128.0/18' - '20.231.128.0/19' - '40.126.0.0/18' + - '57.150.0.0/15' - '2603:1006:2000::/48' - '2603:1007:200::/48' - '2603:1016:1400::/48' @@ -265,21 +279,36 @@ detection: # Microsoft 365 Common and Office Online # "urls": [ # "*.compliance.microsoft.com", + # "*.data.microsoft.com", # "*.protection.office.com", # "*.security.microsoft.com", # "compliance.microsoft.com", # "defender.microsoft.com", # "protection.office.com", - # "security.microsoft.com" + # "security.microsoft.com", + # "teams.microsoft.com", # ] DestinationIp|cidr: + - '13.64.0.0/11' - '13.107.6.192/32' - '13.107.9.192/32' + - '13.89.179.14/32' + - '20.40.0.0/14' + - '20.48.0.0/12' + - '20.64.0.0/12' + - '52.123.0.0/16' - '52.108.0.0/14' + - '52.136.0.0/13' + - '57.150.0.0/15' + - '80.239.150.67/32' # Arelion Sweden AB - '2620:1ec:4::192/128' - '2620:1ec:a92::192/128' DestinationPort: 443 Protocol: 'tcp' + filter_main_destination_host: + DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com' + DestinationPort: 443 + Protocol: 'tcp' condition: selection and not 1 of filter_main_* falsepositives: - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index c28857ab5..e8b4edfba 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -6,7 +6,7 @@ references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-07-12 -modified: 2024-07-02 +modified: 2025-10-17 tags: - attack.defense-evasion - attack.command-and-control @@ -27,8 +27,10 @@ detection: - 53 # DNS - 80 # HTTP - 139 # NETBIOS + - 389 # LDAP - 443 # HTTPS - 445 # SMB + - 3268 # MSFT-GC filter_main_outlook_ports: Image|contains: ':\Program Files\Microsoft Office\' Image|endswith: '\OUTLOOK.EXE' diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index cc8ed60dd..2e93071db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) date: 2019-06-17 -modified: 2025-07-04 +modified: 2025-10-17 tags: - attack.defense-evasion - attack.t1055 @@ -21,6 +21,7 @@ detection: filter_main_explorer: - Image|endswith: '\explorer.exe' - OriginalFileName: 'explorer.exe' + - CommandLine: 'C:\Windows\Explorer.EXE' filter_main_null: Image: null condition: selection and not 1 of filter_main_* diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index dda434e68..0f768b106 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2025-10-07 +modified: 2025-10-17 tags: - attack.persistence - attack.t1547.001 @@ -44,7 +44,7 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' - filter_main_all: + filter_main_generic_all: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: @@ -55,8 +55,11 @@ detection: - 'C:\WINDOWS\system32\devicecensus.exe' - 'C:\Windows\system32\winsat.exe' - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' + - 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe' - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe' + - 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe' - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe' - 'C:\Program Files\Everything\Everything.exe' - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' @@ -73,11 +76,6 @@ detection: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\' - 'C:\Program Files (x86)\Microsoft\EdgeWebView\' - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - filter_main_officeclicktorun: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' filter_main_defender: Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' filter_main_teams: @@ -129,6 +127,14 @@ detection: - '\AppData\Local\Package Cache\{' - '}\python-' Details|endswith: '.exe" /burn.runonce' + filter_optional_officeclicktorun: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\' + Image|endswith: '\OfficeClickToRun.exe' + filter_optional_teams: + Image|endswith: '\Microsoft\Teams\current\Teams.exe' + Details|contains: '\Microsoft\Teams\Update.exe --processStart' filter_optional_AVG_setup: Image|contains: - 'C:\Program Files\AVG\Antivirus\Setup\' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 98d279b37..2c7c412fb 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,7 +11,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2025-10-07 +modified: 2025-10-17 tags: - attack.persistence - attack.t1547.001 @@ -62,6 +62,7 @@ detection: - '\Outlook\Addins\UCAddin.LyncAddin.1' - '\Outlook\Addins\UCAddin.UCAddin.1' - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\' + - 'AddinTakeNotesService\FriendlyName' filter_main_officeclicktorun: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'