From ca8e778476b3e643ddc72baf7641f299d0b42567 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Tue, 28 Apr 2026 03:55:09 +0545 Subject: [PATCH] Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data update: Suspicious Creation TXT File in User Desktop - Move to a TH rule fix: ffice Macro File Creation - Exclude office binaries fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs. fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda fix Outlook Security Settings Updated - Registry - Exclude the outlook process --------- Co-authored-by: Nasreddine Bencherchali --- .../file_event_win_susp_desktop_txt.yml | 8 ++++-- ...e_event_win_office_macro_files_created.yml | 12 ++++++++- .../proc_creation_win_msiexec_execute_dll.yml | 24 ++++++----------- ...n_win_susp_script_exec_from_env_folder.yml | 20 +++++++++++--- ...reation_win_susp_script_exec_from_temp.yml | 23 +++++++++++----- ...ent_susp_process_registry_modification.yml | 9 ++++++- ...set_asep_reg_keys_modification_classes.yml | 6 ++++- ..._set_asep_reg_keys_modification_office.yml | 26 +++++++++++++++---- ...y_set_office_outlook_security_settings.yml | 9 +++++-- .../registry_set_persistence_office_vsto.yml | 9 ++++++- 10 files changed, 107 insertions(+), 39 deletions(-) rename {rules => rules-threat-hunting}/windows/file/file_event/file_event_win_susp_desktop_txt.yml (57%) diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_desktop_txt.yml similarity index 57% rename from rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml rename to rules-threat-hunting/windows/file/file_event/file_event_win_susp_desktop_txt.yml index 9d95f7b86..c8053adb3 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_desktop_txt.yml @@ -1,14 +1,18 @@ title: Suspicious Creation TXT File in User Desktop id: caf02a0a-1e1c-4552-9b48-5e070bd88d11 status: test -description: Ransomware create txt file in the user Desktop +description: | + Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks. + Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note author: frack113 date: 2021-12-26 +modified: 2026-01-09 tags: - attack.impact - attack.t1486 + - detection.threat-hunting logsource: product: windows category: file_event @@ -22,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index fd9cf1af0..c28e43430 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -10,6 +10,7 @@ references: - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) date: 2022-01-23 +modified: 2026-01-09 tags: - attack.initial-access - attack.t1566.001 @@ -25,7 +26,16 @@ detection: - '.xltm' - '.potm' - '.pptm' - condition: selection + filter_main_office: + Image|startswith: + - 'C:\Program Files\Microsoft Office\' + - 'C:\Program Files (x86)\Microsoft Office\' + Image|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.EXE' + TargetFilename|contains: '\~$' # Temporary files created by Office applications + condition: selection and not 1 of filter_main_* falsepositives: - Very common in environments that rely heavily on macro documents level: low diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3f7b78db4..217a284c2 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022-01-16 -modified: 2024-03-13 +modified: 2026-01-09 tags: - attack.defense-evasion - attack.t1218.007 @@ -20,22 +20,14 @@ logsource: detection: selection: Image|endswith: '\msiexec.exe' - CommandLine|contains|windash: ' -y' - filter_apple: + CommandLine|contains|windash: ' /Y' + filter_main_legit_path: CommandLine|contains: - - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' - - '\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' - - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution - - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' - - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' - - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - - '\MsiExec.exe" -Y "C:\Windows\CCM\' - - '\MsiExec.exe" -Y C:\Windows\CCM\' # also need non-quoted execution - condition: selection and not 1 of filter_* + - '\MsiExec.exe" /Y "C:\Program Files\' + - '\MsiExec.exe" /Y "C:\Program Files (x86)\' + - '\MsiExec.exe" /Y "C:\Windows\System32\' + - '\MsiExec.exe" /Y "C:\Windows\SysWOW64\' + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate script level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index f4fcfc0af..23406c116 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -1,14 +1,16 @@ title: Script Interpreter Execution From Suspicious Folder id: 1228c958-e64e-4e71-92ad-7d429f4138ba status: test -description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables +description: | + Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. + Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts. references: - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military - https://learn.microsoft.com/en-us/windows/win32/shell/csidl author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-02-08 -modified: 2023-06-16 +modified: 2026-01-09 tags: - attack.execution - attack.t1059 @@ -38,6 +40,7 @@ detection: CommandLine|contains: - ':\Perflogs\' - ':\Users\Public\' + - '\%Public%' - '\AppData\Local\Temp' - '\AppData\Roaming\Temp' - '\Temporary Internet' @@ -52,7 +55,16 @@ detection: - CommandLine|contains|all: - ':\Users\' - '\Contacts\' - condition: 1 of selection_proc_* and 1 of selection_folders_* + filter_optional_chocolatey_installer: + ParentImage: + - 'C:\Windows\System32\Msiexec.exe' + - 'C:\Windows\SysWOW64\Msiexec.exe' + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - '-NoProfile -ExecutionPolicy Bypass -Command' + - 'AppData\Local\Temp\' + - 'Install-Chocolatey.ps1' + condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_* falsepositives: - - Unknown + - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production. level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index b50f53858..3dfe9a254 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton date: 2021-07-14 -modified: 2022-10-05 +modified: 2026-01-09 tags: - attack.execution - attack.t1059 @@ -29,14 +29,25 @@ detection: - '%TEMP%' - '%TMP%' - '%LocalAppData%\Temp' - filter: + filter_optional_vscode: + CommandLine|contains: '-WindowStyle hidden -Verb runAs' + filter_optional_amazon_ec2: + CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\' + filter_optional_generic: CommandLine|contains: - ' >' - 'Out-File' - 'ConvertTo-Json' - - '-WindowStyle hidden -Verb runAs' # VSCode behaviour if file cannot be written as current user - - '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\' # EC2 AWS - condition: selection and not filter + filter_optional_chocolatey_installer: + ParentImage: + - 'C:\Windows\System32\Msiexec.exe' + - 'C:\Windows\SysWOW64\Msiexec.exe' + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - '-NoProfile -ExecutionPolicy Bypass -Command' + - 'AppData\Local\Temp\' + - 'Install-Chocolatey.ps1' + condition: selection and not 1 of filter_optional_* falsepositives: - - Administrative scripts + - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production. level: high diff --git a/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml b/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml index 246dd245d..ab0309610 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml @@ -32,13 +32,20 @@ detection: - '\mshta.exe' - '\wscript.exe' - '\cscript.exe' - filter_main_legit_wscript: + filter_main_binary_data: + Details: 'Binary Data' + filter_main_null: + Details: null + filter_main_wscript_legit_1: Image|endswith: '\wscript.exe' TargetObject|contains: - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\' - '\Services\bam\State\UserSettings\S-1-' - 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\' - 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\' + filter_main_wscript_legit_2: + Image|endswith: '\wscript.exe' + TargetObject|contains: '\wscript.exe' condition: selection and not 1 of filter_main_* falsepositives: - Some legitimate admin or install scripts may use these processes for registry modifications. diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 4b56cda15..268ef746a 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -4,7 +4,11 @@ related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsolete status: test -description: Detects modification of autostart extensibility point (ASEP) in registry. +description: | + Detects modification of Windows Registry Classes keys used for persistence. + Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. + Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, + thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 66bee2542..0c8a5a251 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -4,14 +4,17 @@ related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsolete status: test -description: Detects modification of autostart extensibility point (ASEP) in registry. +description: | + Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. + There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. + Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2025-10-17 +modified: 2026-01-09 tags: - attack.privilege-escalation - attack.persistence @@ -35,12 +38,17 @@ detection: - 'test\Special\Perf' filter_main_empty: Details: '(Empty)' + filter_main_null: + Details: null filter_main_known_addins: Image|startswith: - 'C:\Program Files\Microsoft Office\' - 'C:\Program Files (x86)\Microsoft Office\' + - 'C:\PROGRA~2\MICROS~2\Office' - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\SysWOW64\regsvr32.exe ' TargetObject|contains: # Remove any unused addins in your environment from the filter # Known addins for excel @@ -55,9 +63,11 @@ detection: - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\' - '\Outlook\AddIns\EvernoteOLRD.Connect\' # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly + - '\Outlook\Addins\\OneNote.OutlookAddin' + - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive + - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\' - '\Outlook\Addins\OcOffice.OcForms\' - - '\Outlook\Addins\\OneNote.OutlookAddin' - '\Outlook\Addins\OscAddin.Connect\' - '\Outlook\Addins\OutlookChangeNotifier.Connect\' - '\Outlook\Addins\UCAddin.LyncAddin.1' @@ -69,6 +79,11 @@ detection: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_main_vsto: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\' + - 'C:\Program Files (x86)\Microsoft Shared\VSTO\' + Image|endswith: '\VSTOInstaller.exe' filter_optional_avg: Image: - 'C:\Program Files\AVG\Antivirus\RegSvr.exe' @@ -79,8 +94,9 @@ detection: - 'C:\Program Files\Avast Software\Avast\RegSvr.exe' - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\' + # These filters are not exhaustive, filter can be expanded based on environment condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - - Legitimate administrator sets up autorun keys for legitimate reason + - Legitimate software or add-in installations and administrative configurations + - Automatic registry modifications during legitimate software installations level: medium diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml index fea930154..17d3f88a5 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings author: frack113 date: 2021-12-28 -modified: 2023-08-17 +modified: 2026-01-09 tags: - attack.persistence - attack.t1137 @@ -22,7 +22,12 @@ detection: TargetObject|contains|all: - '\SOFTWARE\Microsoft\Office\' - '\Outlook\Security\' - condition: selection + filter_main_outlook: + Image|startswith: + - 'C:\Program Files\Microsoft Office\' + - 'C:\Program Files (x86)\Microsoft Office\' + Image|endswith: '\OUTLOOK.EXE' + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index c7f94c19c..b6a250ee0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021-01-10 -modified: 2025-10-07 +modified: 2026-01-09 tags: - attack.t1137.006 - attack.persistence @@ -43,14 +43,21 @@ detection: - 'C:\Program Files (x86)\Microsoft Office\OFFICE' - 'C:\Program Files\Microsoft Office\Root\OFFICE' - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE' + - 'C:\PROGRA~2\MICROS~2\Office' Image|endswith: - '\excel.exe' - '\Integrator.exe' + - '\OneNote.exe' - '\outlook.exe' - '\powerpnt.exe' - '\Teams.exe' - '\visio.exe' - '\winword.exe' + filter_main_vsto: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\' + - 'C:\Program Files (x86)\Microsoft Shared\VSTO\' + Image|endswith: '\VSTOInstaller.exe' filter_optional_avg: Image: - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'