diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_office.yml b/deprecated/windows/proc_creation_win_lolbin_office.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbin_office.yml rename to deprecated/windows/proc_creation_win_lolbin_office.yml diff --git a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml b/deprecated/windows/registry_set_disable_microsoft_office_security_features.yml similarity index 97% rename from rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml rename to deprecated/windows/registry_set_disable_microsoft_office_security_features.yml index d8462d4e0..cd5b831ab 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml +++ b/deprecated/windows/registry_set_disable_microsoft_office_security_features.yml @@ -1,6 +1,6 @@ title: Disable Microsoft Office Security Features id: 7c637634-c95d-4bbf-b26c-a82510874b34 -status: test +status: deprecated description: Disable Microsoft Office Security Features by registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md @@ -8,7 +8,7 @@ references: - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ author: frack113 date: 2021/06/08 -modified: 2022/03/26 +modified: 2023/06/21 tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_office_security.yml b/deprecated/windows/registry_set_office_security.yml similarity index 95% rename from rules/windows/registry/registry_set/registry_set_office_security.yml rename to deprecated/windows/registry_set_office_security.yml index b54ec0047..aa4fd01a6 100644 --- a/rules/windows/registry/registry_set/registry_set_office_security.yml +++ b/deprecated/windows/registry_set_office_security.yml @@ -1,6 +1,6 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd -status: experimental +status: deprecated description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) references: - https://twitter.com/inversecos/status/1494174785621819397 @@ -8,7 +8,7 @@ references: - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick) date: 2020/05/22 -modified: 2022/06/26 +modified: 2023/06/21 tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml similarity index 88% rename from rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index 5212ce362..a0f4b0336 100644 --- a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 author: Florian Roth (Nextron Systems), Sittikorn S date: 2021/09/10 -modified: 2022/06/17 +modified: 2023/06/22 tags: - attack.resource_development - attack.t1587 @@ -17,20 +17,18 @@ logsource: detection: selection_cab: Image|endswith: '\winword.exe' - TargetFilename|endswith: '.cab' TargetFilename|contains: '\Windows\INetCache' + TargetFilename|endswith: '.cab' selection_inf: Image|endswith: '\winword.exe' TargetFilename|contains|all: - '\AppData\Local\Temp\' - '.inf' - filter_legit: + filter_main_legit: TargetFilename|startswith: 'C:\Users\' TargetFilename|contains: 'AppData\Local\Temp' TargetFilename|endswith: '\Content.inf' - condition: (selection_cab or selection_inf) and not filter_legit -fields: - - TargetFilename + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml new file mode 100644 index 000000000..672dd7311 --- /dev/null +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -0,0 +1,27 @@ +title: Microsoft Office Trusted Location Updated +id: a0bed973-45fa-4625-adb5-6ecdf9be70ac +related: + - id: f742bde7-9528-42e5-bd82-84f51a8387d2 + type: similar +status: experimental +description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. +references: + - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1112 + - detection.threat_hunting +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|contains: 'Security\Trusted Locations\Location' + TargetObject|endswith: '\Path' + condition: selection +falsepositives: + - During office installations or setup, trusted locations are added, which will trigger this rule. +level: medium diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 915fee3f4..3046d4ef6 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/20 -modified: 2023/06/06 +modified: 2023/06/20 tags: - attack.execution logsource: @@ -97,6 +97,10 @@ detection: ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe' RequestedPolicy: 8 ValidatedPolicy: 1 + filter_optional_trend_micro: + FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll' + RequestedPolicy: 8 + ValidatedPolicy: 1 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products. Apply additional filters accordingly diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing.yml b/rules/windows/builtin/security/win_security_disable_event_auditing.yml new file mode 100644 index 000000000..030c02dd3 --- /dev/null +++ b/rules/windows/builtin/security/win_security_disable_event_auditing.yml @@ -0,0 +1,52 @@ +title: Windows Event Auditing Disabled +id: 69aeb277-f15f-4d2d-b32a-55e883609563 +related: + - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 + type: derived +status: test +description: | + Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. + This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. + Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". + Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. +references: + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit +author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' +date: 2017/11/19 +modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + product: windows + service: security + definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64 +detection: + selection: + EventID: 4719 + AuditPolicyChanges|contains: + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" + filter_main_guid: + # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 + SubcategoryGuid: + # Note: Add or remove GUID as you see fit in your env + - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon + - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation + - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations + - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change + - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension + - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity + - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon + - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change + - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change + - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management + - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management + - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management + - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation + - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service' + - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout + condition: selection and not filter_main_guid +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml new file mode 100644 index 000000000..02bb02aac --- /dev/null +++ b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml @@ -0,0 +1,49 @@ +title: Important Windows Event Auditing Disabled +id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 +related: + - id: 69aeb277-f15f-4d2d-b32a-55e883609563 + type: derived +status: test +description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. +references: + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit + - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/20 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + product: windows + service: security + definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64 +detection: + selection_state_success_and_failure: + EventID: 4719 + SubcategoryGuid: + # Note: Add or remove GUID as you see fit in your env + - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon + - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation + - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations + - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change + - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension + - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity + - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon + - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change + - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change + - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management + - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management + - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management + - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation + - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service + AuditPolicyChanges|contains: + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" + selection_state_success_only: + EventID: 4719 + SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout + AuditPolicyChanges|contains: '%%8448' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml deleted file mode 100644 index 6b3e4985b..000000000 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Disabling Windows Event Auditing -id: 69aeb277-f15f-4d2d-b32a-55e883609563 -status: test -description: | - Detects scenarios where system auditing (ie: windows event log auditing) is disabled. - This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. - Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". - Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. -references: - - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit -author: '@neu5ron' -date: 2017/11/19 -modified: 2021/11/27 -tags: - - attack.defense_evasion - - attack.t1562.002 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' -detection: - selection: - EventID: 4719 - AuditPolicyChanges|contains: - - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml new file mode 100644 index 000000000..f05dbb524 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml @@ -0,0 +1,53 @@ +title: Potential Persistence Via Microsoft Office Startup Folder +id: 0e20c89d-2264-44ae-8238-aeeaba609ece +status: test +description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. +references: + - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies + - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders +author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/02 +modified: 2023/06/22 +tags: + - attack.persistence + - attack.t1137 +logsource: + category: file_event + product: windows +detection: + selection_word_paths: + - TargetFilename|contains: '\Microsoft\Word\STARTUP' + - TargetFilename|contains|all: + - '\Office' + - '\Program Files' + - '\STARTUP' + selection_word_extension: + TargetFilename|endswith: + - '.doc' + - '.docm' + - '.docx' + - '.dot' + - '.dotm' + - '.rtf' + selection_excel_paths: + - TargetFilename|contains: '\Microsoft\Excel\XLSTART' + - TargetFilename|contains|all: + - '\Office' + - '\Program Files' + - '\XLSTART' + selection_excel_extension: + TargetFilename|endswith: + - '.xls' + - '.xlsm' + - '.xlsx' + - '.xlt' + - '.xltm' + filter_main_office: + Image|endswith: + - '\WINWORD.exe' + - '\EXCEL.exe' + condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office +falsepositives: + - Loading a user environment from a backup or a domain controller + - Synchronization of templates +level: high diff --git a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml similarity index 66% rename from rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml rename to rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 22446ba9c..816a00e88 100644 --- a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -1,13 +1,13 @@ -title: Created Files by Office Applications +title: File With Uncommon Extension Created By An Office Application id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 status: experimental -description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. +description: Detects the creation of files with an executable or script extension by an Office application. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) date: 2021/08/23 -modified: 2022/07/11 +modified: 2023/06/22 tags: - attack.t1204.002 - attack.execution @@ -18,37 +18,46 @@ detection: #useful_information: Please add more file extensions to the logic of your choice. selection1: Image|endswith: - - '\winword.exe' - '\excel.exe' + - '\msaccess.exe' + - '\mspub.exe' - '\powerpnt.exe' + - '\visio.exe' + - '\winword.exe' selection2: TargetFilename|endswith: - - '.exe' - - '.dll' - - '.ocx' - - '.com' - - '.ps1' - - '.vbs' - - '.sys' - '.bat' - - '.scr' + - '.cmd' + - '.com' + - '.dll' + - '.exe' + - '.hta' + - '.ocx' - '.proj' - filter_webservicecache: # matches e.g. directory with name *.microsoft.com + - '.ps1' + - '.scf' + - '.scr' + - '.sys' + - '.vbe' + - '.vbs' + - '.wsf' + - '.wsh' + filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com TargetFilename|contains|all: - 'C:\Users\' - '\AppData\Local\Microsoft\Office\' - '\WebServiceCache\AllUsers' TargetFilename|endswith: '.com' - filter_webex: + filter_optional_webex: Image|endswith: '\winword.exe' TargetFilename|contains: '\AppData\Local\Temp\webexdelta\' TargetFilename|endswith: - '.dll' - '.exe' - filter_localassembly: + filter_main_localassembly: TargetFilename|contains: '\AppData\Local\assembly\tmp\' TargetFilename|endswith: '.dll' - condition: all of selection* and not 1 of filter_* + condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml new file mode 100644 index 000000000..81a19fd6d --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -0,0 +1,63 @@ +title: Uncommon File Created In Office Startup Folder +id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d +status: experimental +description: Detects the creation of a file with an uncommon extension in an Office application startup folder +references: + - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ + - http://addbalance.com/word/startup.htm + - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3 + - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/05 +modified: 2023/06/23 +tags: + - attack.resource_development + - attack.t1587.001 +logsource: + product: windows + category: file_event +detection: + selection_word_paths: + - TargetFilename|contains: '\Microsoft\Word\STARTUP' + - TargetFilename|contains|all: + - '\Office' + - '\Program Files' + - '\STARTUP' + filter_exclude_word_ext: + TargetFilename|endswith: + - '.docb' # Word binary document introduced in Microsoft Office 2007 + - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts + - '.docx' # Word document + - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts + - '.pdf' # PDF documents + - '.wll' # Word add-in + - '.wwl' # Word add-in + selection_excel_paths: + - TargetFilename|contains: '\Microsoft\Excel\XLSTART' + - TargetFilename|contains|all: + - '\Office' + - '\Program Files' + - '\XLSTART' + filter_exclude_excel_ext: + TargetFilename|endswith: + - '.xls' + - '.xlsm' + - '.xlsx' + - '.xlt' + - '.xltm' + - '.xll' + - '.xlw' + filter_main_office_click_to_run: + Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + Image|endswith: '\OfficeClickToRun.exe' + filter_main_office_apps: + Image|startswith: + - 'C:\Program Files\Microsoft Office\' + - 'C:\Program Files (x86)\Microsoft Office\' + Image|endswith: + - '\winword.exe' + - '\excel.exe' + condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* +falsepositives: + - Other legitimate extensions used by either excel or word +level: high diff --git a/rules/windows/file/file_event/file_event_win_office_winword_startup.yml b/rules/windows/file/file_event/file_event_win_office_winword_startup.yml deleted file mode 100644 index 51c9a8e5b..000000000 --- a/rules/windows/file/file_event/file_event_win_office_winword_startup.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Creation In User Word Startup Folder -id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d -status: experimental -description: Detects the creation of an file in user Word Startup -references: - - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ - - http://addbalance.com/word/startup.htm - - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3 -author: frack113 -date: 2022/06/05 -tags: - - attack.resource_development - - attack.t1587.001 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\' - filter_ext: - TargetFilename|endswith: - - '.docx' # Word document - - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts - - '.dotx' # Word template - - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts - - '.docb' # Word binary document introduced in Microsoft Office 2007 - - '.pdf' # PDF documents - - '.wll' # Word add-in - - '.wwl' # Word add-in - condition: selection and not filter_ext -falsepositives: - - Addition of legitimate plugins -level: medium diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml rename to rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml similarity index 53% rename from rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml rename to rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 34152ab99..69ea85f54 100644 --- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -4,8 +4,9 @@ status: experimental description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 -author: frack113, Florian Roth +author: frack113, Florian Roth (Nextron Systems) date: 2022/08/21 +modified: 2023/06/22 tags: - attack.defense_evasion - attack.t1218 @@ -15,31 +16,24 @@ logsource: detection: selection: Image|endswith: - # Microsoft Office Programs Dropping Executables - - \winword.exe - - \excel.exe - - \powerpnt.exe - - \msaccess.exe - - \mspub.exe - - \eqnedt32.exe - - \visio.exe - - \wordpad.exe - - \wordview.exe + # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 + - '\eqnedt32.exe' + - '\wordpad.exe' + - '\wordview.exe' # LOLBINs that can be used to download executables - - \certutil.exe - - \certoc.exe - - \CertReq.exe - # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - - \Desktopimgdownldr.exe - - \esentutl.exe - # - \expand.exe - - \finger.exe + - '\certutil.exe' + - '\certoc.exe' + - '\CertReq.exe' + #- \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - '\Desktopimgdownldr.exe' + - '\esentutl.exe' + #- \expand.exe + - '\mshta.exe' # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - - \notepad.exe - - \AcroRd32.exe - - \RdrCEF.exe - - \mshta.exe - - \hh.exe + - '\AcroRd32.exe' + - '\RdrCEF.exe' + - '\hh.exe' + - '\finger.exe' TargetFilename|endswith: - '.exe' - '.dll' diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml similarity index 69% rename from rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml rename to rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 61ec04aa2..95a791490 100644 --- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -4,8 +4,9 @@ status: experimental description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 -author: frack113, Florian Roth +author: frack113, Florian Roth (Nextron Systems) date: 2022/08/21 +modified: 2023/06/22 tags: - attack.defense_evasion - attack.t1218 @@ -15,30 +16,24 @@ logsource: detection: selection: Image|endswith: - # Microsoft Office Programs Dropping Executables - - \winword.exe - - \excel.exe - - \powerpnt.exe - - \msaccess.exe - - \mspub.exe + # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 - \eqnedt32.exe - - \visio.exe - \wordpad.exe - \wordview.exe # LOLBINs that can be used to download executables - \certutil.exe - \certoc.exe - \CertReq.exe - # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + #- \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe - # - \expand.exe - - \finger.exe + #- \expand.exe + - '\mshta.exe' # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - - \AcroRd32.exe - - \RdrCEF.exe - - \mshta.exe - - \hh.exe + - '\AcroRd32.exe' + - '\RdrCEF.exe' + - '\hh.exe' + - '\finger.exe' TargetFilename|endswith: - '.ps1' - '.bat' diff --git a/rules/windows/file/file_event/file_event_win_word_template_creation.yml b/rules/windows/file/file_event/file_event_win_word_template_creation.yml deleted file mode 100644 index 4c1412815..000000000 --- a/rules/windows/file/file_event/file_event_win_word_template_creation.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Office Template Creation -id: 0e20c89d-2264-44ae-8238-aeeaba609ece -status: experimental -description: Detects creation of template files for Microsoft Office from outside Office -references: - - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies -author: Max Altgelt (Nextron Systems) -date: 2022/06/02 -tags: - - attack.persistence - - attack.t1137 -logsource: - category: file_event - product: windows -detection: - selection_word: - TargetFilename|endswith: - - .dot - - .dotm - - .doc - - .docm - - .docx - - .rtf - TargetFilename|contains: '\Microsoft\Word\Startup' - selection_excel: - TargetFilename|endswith: - - .xlt - - .xltm - - .xls - - .xlsm - - .xlsx - TargetFilename|contains: '\Microsoft\Excel\Startup' - filter_office: - Image|endswith: - - \WINWORD.exe - - \EXCEL.exe - condition: 1 of selection* and not filter_office -falsepositives: - - Loading a user environment from a backup or a domain controller - - Synchronization of templates -level: high diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml new file mode 100644 index 000000000..3d6bac448 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -0,0 +1,31 @@ +title: Potential appverifUI.DLL Sideloading +id: ee6cea48-c5b6-4304-a332-10fc6446f484 +status: experimental +description: Detects potential DLL sideloading of "appverifUI.dll" +references: + - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +author: X__Junior (Nextron Systems) +date: 2023/06/20 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\appverifUI.dll' + filter_main_legit_path: + Image: + - 'C:\Windows\SysWOW64\appverif.exe' + - 'C:\Windows\System32\appverif.exe' + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml new file mode 100644 index 000000000..2523ed902 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -0,0 +1,28 @@ +title: Potential ShellDispatch.DLL Sideloading +id: 844f8eb2-610b-42c8-89a4-47596e089663 +status: experimental +description: Detects potential DLL sideloading of "ShellDispatch.dll" +references: + - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +author: X__Junior (Nextron Systems) +date: 2023/06/20 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\ShellDispatch.dll' + filter_main_legit_path: + - ImageLoaded|contains|all: + - ':\Users\' + - '\AppData\Local\Temp\' + - ImageLoaded|contains: ':\Windows\Temp\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Some installers may trigger some false positives +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 35deb3f16..6cd5cf46b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021/06/07 -modified: 2023/06/05 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1562.001 @@ -20,46 +20,59 @@ logsource: detection: selection_options_disabling_preference: HostApplication|contains: 'Set-MpPreference' - selection_options_disabling_value: - HostApplication|contains: - - ' 1 ' - - '$true' selection_options_disabling_function: HostApplication|contains: - - 'dbaf' - - 'dbm' - - 'dips' - - 'DisableArchiveScanning' - - 'DisableBehaviorMonitoring' - - 'DisableBlockAtFirstSeen' - - 'DisableIntrusionPreventionSystem' - - 'DisableIOAVProtection' - - 'DisableRealtimeMonitoring' - - 'DisableRemovableDriveScanning' - - 'DisableScanningMappedNetworkDrivesForFullScan' - - 'DisableScanningNetworkFiles' - - 'DisableScriptScanning' - - 'drdsc' - - 'drtm' - - 'dscrptsc' - - 'dsmndf' - - 'dsnf' - - 'dss' + - '-dbaf $true' + - '-dbaf 1' + - '-dbm $true' + - '-dbm 1' + - '-dips $true' + - '-dips 1' + - '-DisableArchiveScanning $true' + - '-DisableArchiveScanning 1' + - '-DisableBehaviorMonitoring $true' + - '-DisableBehaviorMonitoring 1' + - '-DisableBlockAtFirstSeen $true' + - '-DisableBlockAtFirstSeen 1' + - '-DisableIntrusionPreventionSystem $true' + - '-DisableIntrusionPreventionSystem 1' + - '-DisableIOAVProtection $true' + - '-DisableIOAVProtection 1' + - '-DisableRealtimeMonitoring $true' + - '-DisableRealtimeMonitoring 1' + - '-DisableRemovableDriveScanning $true' + - '-DisableRemovableDriveScanning 1' + - '-DisableScanningMappedNetworkDrivesForFullScan $true' + - '-DisableScanningMappedNetworkDrivesForFullScan 1' + - '-DisableScanningNetworkFiles $true' + - '-DisableScanningNetworkFiles 1' + - '-DisableScriptScanning $true' + - '-DisableScriptScanning 1' + - '-drdsc $true' + - '-drdsc 1' + - '-drtm $true' + - '-drtm 1' + - '-dscrptsc $true' + - '-dscrptsc 1' + - '-dsmndf $true' + - '-dsmndf 1' + - '-dsnf $true' + - '-dsnf 1' + - '-dss $true' + - '-dss 1' selection_other_default_actions_allow: - HostApplication|contains|all: - - 'Set-MpPreference' - - 'Allow' + HostApplication|contains: 'Set-MpPreference' + selection_other_default_actions_func: HostApplication|contains: - - 'LowThreatDefaultAction' - - 'ModerateThreatDefaultAction' - - 'HighThreatDefaultAction' - selection_other_use_of_alias: - HostApplication|contains: - - 'ltdefac ' - - 'mtdefac ' - - 'htdefac ' - - 'stdefac ' + - 'HighThreatDefaultAction Allow' + - 'htdefac Allow' + - 'LowThreatDefaultAction Allow' + - 'ltdefac Allow' + - 'ModerateThreatDefaultAction Allow' + - 'mtdefac Allow' + - 'SevereThreatDefaultAction Allow' + - 'stdefac Allow' condition: all of selection_options_disabling_* or 1 of selection_other_* falsepositives: - - Unknown + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index 980b9113c..6384a1d69 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Tim Shelton date: 2020/10/06 -modified: 2023/01/09 +modified: 2023/06/20 tags: - attack.execution - attack.t1059.001 @@ -23,7 +23,7 @@ detection: ScriptBlockText|contains: - 'AddSecurityPackage' - 'AdjustTokenPrivileges' - - 'Advapi32' + #- 'Advapi32' - 'CloseHandle' - 'CreateProcessWithToken' - 'CreateRemoteThread' @@ -68,10 +68,13 @@ detection: - 'WriteInt32' - 'WriteProcessMemory' - 'ZeroFreeGlobalAllocUnicode' - filter_amazon: + filter_optional_amazon: ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items - ScriptBlockText|contains: 'function Import-SerialPortUtil ' - condition: selection and not 1 of filter_* + ScriptBlockText|contains: + - 'function Import-SerialPortUtil ' + - 'CloseHandle' + - 'DllImport("KernelBase.dll"' + condition: selection and not 1 of filter_optional_* falsepositives: - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 9a1326c6e..989e45185 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -6,7 +6,7 @@ references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 -modified: 2022/12/25 +modified: 2023/06/20 tags: - attack.execution - attack.t1059.001 @@ -19,12 +19,14 @@ detection: ScriptBlockText|contains: - 'AdjustTokenPrivileges' - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC' + #- 'LSA_UNICODE_STRING' + - 'Metasploit' - 'Microsoft.Win32.UnsafeNativeMethods' - - 'ReadProcessMemory.Invoke' - - 'SE_PRIVILEGE_ENABLED' - - 'LSA_UNICODE_STRING' + - 'Mimikatz' - 'MiniDumpWriteDump' - 'PAGE_EXECUTE_READ' + - 'ReadProcessMemory.Invoke' + - 'SE_PRIVILEGE_ENABLED' - 'SECURITY_DELEGATION' - 'TOKEN_ADJUST_PRIVILEGES' - 'TOKEN_ALL_ACCESS' @@ -35,9 +37,7 @@ detection: - 'TOKEN_INFORMATION_CLASS' - 'TOKEN_PRIVILEGES' - 'TOKEN_QUERY' - - 'Metasploit' - - 'Mimikatz' condition: selection falsepositives: - - Unknown -level: high + - Depending on the scripts, this rule might require some initial tunning to fit the environment +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 4bfc60ee9..5499f3a0d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ -author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel +author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/01/16 -modified: 2023/06/05 +modified: 2023/06/21 tags: - attack.defense_evasion - attack.t1562.001 @@ -22,46 +22,59 @@ logsource: detection: selection_options_disabling_preference: ScriptBlockText|contains: 'Set-MpPreference' - selection_options_disabling_value: - ScriptBlockText|contains: - - ' 1 ' - - '$true' selection_options_disabling_function: ScriptBlockText|contains: - - 'dbaf' - - 'dbm' - - 'dips' - - 'DisableArchiveScanning' - - 'DisableBehaviorMonitoring' - - 'DisableBlockAtFirstSeen' - - 'DisableIntrusionPreventionSystem' - - 'DisableIOAVProtection' - - 'DisableRealtimeMonitoring' - - 'DisableRemovableDriveScanning' - - 'DisableScanningMappedNetworkDrivesForFullScan' - - 'DisableScanningNetworkFiles' - - 'DisableScriptScanning' - - 'drdsc' - - 'drtm' - - 'dscrptsc' - - 'dsmndf' - - 'dsnf' - - 'dss' + - '-dbaf $true' + - '-dbaf 1' + - '-dbm $true' + - '-dbm 1' + - '-dips $true' + - '-dips 1' + - '-DisableArchiveScanning $true' + - '-DisableArchiveScanning 1' + - '-DisableBehaviorMonitoring $true' + - '-DisableBehaviorMonitoring 1' + - '-DisableBlockAtFirstSeen $true' + - '-DisableBlockAtFirstSeen 1' + - '-DisableIntrusionPreventionSystem $true' + - '-DisableIntrusionPreventionSystem 1' + - '-DisableIOAVProtection $true' + - '-DisableIOAVProtection 1' + - '-DisableRealtimeMonitoring $true' + - '-DisableRealtimeMonitoring 1' + - '-DisableRemovableDriveScanning $true' + - '-DisableRemovableDriveScanning 1' + - '-DisableScanningMappedNetworkDrivesForFullScan $true' + - '-DisableScanningMappedNetworkDrivesForFullScan 1' + - '-DisableScanningNetworkFiles $true' + - '-DisableScanningNetworkFiles 1' + - '-DisableScriptScanning $true' + - '-DisableScriptScanning 1' + - '-drdsc $true' + - '-drdsc 1' + - '-drtm $true' + - '-drtm 1' + - '-dscrptsc $true' + - '-dscrptsc 1' + - '-dsmndf $true' + - '-dsmndf 1' + - '-dsnf $true' + - '-dsnf 1' + - '-dss $true' + - '-dss 1' selection_other_default_actions_allow: - ScriptBlockText|contains|all: - - 'Set-MpPreference' - - 'Allow' + ScriptBlockText|contains: 'Set-MpPreference' + selection_other_default_actions_func: ScriptBlockText|contains: - - 'LowThreatDefaultAction' - - 'ModerateThreatDefaultAction' - - 'HighThreatDefaultAction' - selection_other_use_of_alias: - ScriptBlockText|contains: - - 'ltdefac ' - - 'mtdefac ' - - 'htdefac ' - - 'stdefac ' - condition: all of selection_options_disabling_* or 1 of selection_other_* + - 'HighThreatDefaultAction Allow' + - 'htdefac Allow' + - 'LowThreatDefaultAction Allow' + - 'ltdefac Allow' + - 'ModerateThreatDefaultAction Allow' + - 'mtdefac Allow' + - 'SevereThreatDefaultAction Allow' + - 'stdefac Allow' + condition: all of selection_options_disabling_* or all of selection_other_default_actions_* falsepositives: - - Legitimate PowerShell scripts + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml rename to rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index f801194c0..d7d2885b4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,13 +1,14 @@ -title: Use of Adplus.exe +title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 status: experimental -description: The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands +description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ - https://twitter.com/nas_bench/status/1534916659676422152 - https://twitter.com/nas_bench/status/1534915321856917506 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/09 +modified: 2023/06/23 tags: - attack.defense_evasion - attack.execution @@ -31,7 +32,7 @@ detection: - ' -c ' # Execute commands inline - ' -sc ' - condition: all of selection* + condition: all of selection_* falsepositives: - - Legitimate usage of Adplus -level: medium + - Legitimate usage of Adplus for debugging purposes +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml new file mode 100644 index 000000000..44ab5aaf4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -0,0 +1,25 @@ +title: Rebuild Performance Counter Values Via Lodctr.EXE +id: cc9d3712-6310-4320-b2df-7cb408274d53 +status: experimental +description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. +references: + - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/15 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\lodctr.exe' + OriginalFileName: 'LODCTR.EXE' + selection_cli: + CommandLine|contains: + - ' /r' + - ' -r' + condition: all of selection_* +falsepositives: + - Legitimate usage by an administrator +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index b91ca53a8..97903c6cf 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -1,12 +1,18 @@ title: Potential Arbitrary File Download Using Office Application id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed +related: + - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 + type: obsoletes status: experimental description: Detects potential arbitrary file download using a Microsoft Office application references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ -author: Nasreddine Bencherchali (Nextron Systems) + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/ + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ + - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community date: 2022/05/17 -modified: 2023/04/06 +modified: 2023/06/22 tags: - attack.defense_evasion - attack.t1202 @@ -30,4 +36,4 @@ detection: condition: all of selection_* falsepositives: - Unknown -level: medium +level: high diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml new file mode 100644 index 000000000..5dc5b65fc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -0,0 +1,51 @@ +title: Potentially Suspicious Office Document Executed From Trusted Location +id: f99abdf0-6283-4e71-bd2b-b5c048a94743 +status: experimental +description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +references: + - Internal Research + - https://twitter.com/Max_Mal_/status/1633863678909874176 + - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465 + - https://twitter.com/_JohnHammond/status/1588155401752788994 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use + ParentImage|endswith: + - '\explorer.exe' + - '\dopus.exe' + selection_img: + - Image|endswith: + - '\EXCEL.EXE' + - '\POWERPNT.EXE' + - '\WINWORD.exe' + - OriginalFileName: + - 'Excel.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' + selection_trusted_location: + CommandLine|contains: + # Note: these are the default locations. Admins/Users could add additional ones that you need to cover + - '\AppData\Roaming\Microsoft\Templates' + - '\AppData\Roaming\Microsoft\Word\Startup\' + - '\Microsoft Office (x86)\root\Templates\' + - '\Microsoft Office (x86)\Templates\' + - '\Microsoft Office\root\Templates\' + - '\Microsoft Office\Templates\' + filter_main_dotx: + # Note: We add this filter to avoid curious people clicking on template files + CommandLine|endswith: + - '.dotx' + - '.xltx' + - '.potx' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml similarity index 76% rename from rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml rename to rules/windows/process_creation/proc_creation_win_pktmon_execution.yml index 80352a3b0..d6afde716 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml @@ -1,12 +1,12 @@ -title: Use of PktMon.exe +title: PktMon.EXE Execution id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908 status: test -description: Tools to capture network packets on Windows 10 with October 2018 update or later. +description: Detects execution of PktMon, a tool that captures network packets. references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 date: 2022/03/17 -modified: 2023/01/31 +modified: 2023/06/23 tags: - attack.credential_access - attack.t1040 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml rename to rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml index a3dd645cb..f46b5b247 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml @@ -33,16 +33,16 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' - '\Microsoft\Windows\Start Menu\Programs\Startup\' - filter_dll: + filter_main_dll: CommandLine|contains: '.dll' - filter_no_cli: + filter_main_no_cli: # For when the CLI just contains the Image CommandLine|endswith: - '\Regasm.exe"' - '\Regasm.exe' - '\Regsvcs.exe"' - '\Regsvcs.exe' - condition: all of selection_* or (selection_img and not 1 of filter_*) + condition: all of selection_* or (selection_img and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml new file mode 100644 index 000000000..38f3a68df --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -0,0 +1,24 @@ +title: Potential ShellDispatch.DLL Functionality Abuse +id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 +status: experimental +description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" +references: + - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +author: X__Junior (Nextron Systems) +date: 2023/06/20 +tags: + - attack.execution + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + selection_cli: + CommandLine|contains: 'RunDll_ShellExecuteW' + condition: all of selection_* +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index 4bd0f950a..fe355d393 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -1,11 +1,14 @@ title: Script Interpreter Execution From Suspicious Folder id: 1228c958-e64e-4e71-92ad-7d429f4138ba status: test -description: Detects a suspicious script executions in temporary folders or folders accessible by environment variables +description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables references: - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f -author: Florian Roth (Nextron Systems) + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military + - https://learn.microsoft.com/en-us/windows/win32/shell/csidl +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/02/08 +modified: 2023/06/16 tags: - attack.execution - attack.t1059 @@ -13,37 +16,43 @@ logsource: category: process_creation product: windows detection: - selection_image: + selection_proc_image: Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\cscript.exe' - '\mshta.exe' - '\wscript.exe' - - '\cscript.exe' - - '\cmd.exe' - selection_flags: + selection_proc_flags: CommandLine|contains: - - ' -w hidden ' - ' -ep bypass ' - - '/e:vbscript ' + - ' -ExecutionPolicy bypass ' + - ' -w hidden ' - '/e:javascript ' - selection_original: + - '/e:Jscript ' + - '/e:vbscript ' + selection_proc_original: OriginalFileName: - - 'powershell.exe' - - 'pwsh.dll' + - 'cscript.exe' - 'mshta.exe' - 'wscript.exe' - - 'cscript.exe' - - 'cmd.exe' - folders: - Image|contains: - - '\Windows\Temp' - - '\Temporary Internet' + selection_folders_1: + CommandLine|contains: + - ':\Perflogs\' + - ':\Users\Public\' - '\AppData\Local\Temp' - '\AppData\Roaming\Temp' - - 'C:\Users\Public\' - - 'C:\Perflogs\' - condition: 1 of selection* and folders + - '\Temporary Internet' + - '\Windows\Temp' + selection_folders_2: + - CommandLine|contains|all: + - ':\Users\' + - '\Favorites\' + - CommandLine|contains|all: + - ':\Users\' + - '\Favourites\' + - CommandLine|contains|all: + - ':\Users\' + - '\Contacts\' + condition: 1 of selection_proc_* and 1 of selection_folders_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml new file mode 100644 index 000000000..21165f169 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -0,0 +1,23 @@ +title: New Virtual Smart Card Created Via TpmVscMgr.EXE +id: c633622e-cab9-4eaa-bb13-66a1d68b3e47 +status: experimental +description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. +references: + - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/15 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\tpmvscmgr.exe' + OriginalFileName: 'TpmVscMgr.exe' + selection_cli: + CommandLine|contains: 'create' + condition: all of selection_* +falsepositives: + - Legitimate usage by an administrator +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 1f76ab246..7573e000b 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -4,7 +4,8 @@ status: experimental description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ -author: behops, Bhabesh Raj + - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png +author: bohops, Bhabesh Raj date: 2021/10/08 modified: 2022/07/14 tags: @@ -20,31 +21,30 @@ detection: selection_img: - Image|endswith: - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - - '\rundll32.exe' - '\regsvr32.exe' + - '\rundll32.exe' - '\wscript.exe' - - '\cscript.exe' - OriginalFileName: - 'Cmd.Exe' + - 'cscript.exe' + - 'MSHTA.EXE' - 'PowerShell.EXE' - 'pwsh.dll' - - 'RUNDLL32.EXE' - 'REGSVR32.EXE' + - 'RUNDLL32.EXE' - 'wscript.exe' - - 'cscript.exe' - filter: + filter_main_vmwaretools_script: + Image|endswith: '\cmd.exe' CommandLine|contains: - '\VMware\VMware Tools\poweron-vm-default.bat' - '\VMware\VMware Tools\poweroff-vm-default.bat' - '\VMware\VMware Tools\resume-vm-default.bat' - '\VMware\VMware Tools\suspend-vm-default.bat' - condition: all of selection* and not filter -fields: - - CommandLine - - ParentCommandLine - - Details + condition: all of selection* and not 1 of filter_main_* falsepositives: - - Legitimate use by administrator + - Legitimate use by VM administrator level: high diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 99c7f2c4a..5f4d2b9a1 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -4,6 +4,7 @@ status: experimental description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 +modified: 2023/06/19 tags: - attack.execution - attack.t1059.005 @@ -37,4 +38,4 @@ detection: condition: all of selection_* falsepositives: - Unknown -level: medium +level: high diff --git a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml old mode 100755 new mode 100644 similarity index 61% rename from rules/windows/registry/registry_event/registry_event_trust_record_modification.yml rename to rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml index d26fdce5f..a465f0424 --- a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -1,13 +1,17 @@ title: Windows Registry Trust Record Modification id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 +related: + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: similar status: test description: Alerts on trust record modification within the registry, indicating usage of macros references: - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html -author: Antonlovesdnb + - https://twitter.com/inversecos/status/1494174785621819397 +author: Antonlovesdnb, Trent Liffick (@tliffick) date: 2020/02/19 -modified: 2021/11/27 +modified: 2023/06/21 tags: - attack.initial_access - attack.t1566.001 @@ -16,8 +20,8 @@ logsource: product: windows detection: selection: - TargetObject|contains: 'TrustRecords' + TargetObject|contains: '\Security\Trusted Documents\TrustRecords' condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - This will alert on legitimate macro usage as well, additional tuning is required level: medium diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml new file mode 100644 index 000000000..10adfe77b --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -0,0 +1,29 @@ +title: Trust Access Disable For VBApplications +id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf +related: + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes +status: test +description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. +references: + - https://twitter.com/inversecos/status/1494174785621819397 + - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ + - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ +author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +date: 2020/05/22 +modified: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|endswith: '\Security\AccessVBOM' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml new file mode 100644 index 000000000..628e14727 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -0,0 +1,43 @@ +title: Microsoft Office Protected View Disabled +id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc +related: + - id: 7c637634-c95d-4bbf-b26c-a82510874b34 + type: obsoletes +status: test +description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md + - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ + - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/06/08 +modified: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: registry_set +detection: + selection_path: + EventType: SetValue + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Office\' + - '\Security\ProtectedView\' + selection_values_1: + Details: 'DWORD (0x00000001)' + TargetObject|endswith: + - '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook + - '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone + - '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths + - '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations + selection_values_0: + Details: 'DWORD (0x00000000)' + TargetObject|endswith: + - '\enabledatabasefileprotectedview' + - '\enableforeigntextfileprotectedview' + condition: selection_path and 1 of selection_values_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml new file mode 100644 index 000000000..479c4a3ed --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -0,0 +1,35 @@ +title: Macro Enabled In A Potentially Suspicious Document +id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd +related: + - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 + type: derived +status: experimental +description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location +references: + - https://twitter.com/inversecos/status/1494174785621819397 + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + selection_value: + EventType: Setvalue + TargetObject|contains: '\Security\Trusted Documents\TrustRecords' + selection_paths: + TargetObject|contains: + # Note: add more locations where you don't expect a user to executed macro enabled docs + - '/AppData/Local/Microsoft/Windows/INetCache/' + - '/AppData/Local/Temp/' + - '/PerfLogs/' + - 'C:/Users/Public/' + - 'file:///D:/' + - 'file:///E:/' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml new file mode 100644 index 000000000..b1c8419fc --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -0,0 +1,47 @@ +title: Uncommon Microsoft Office Trusted Location Added +id: f742bde7-9528-42e5-bd82-84f51a8387d2 +related: + - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac + type: derived +status: experimental +description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +references: + - Internal Research + - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|contains: 'Security\Trusted Locations\Location' + TargetObject|endswith: '\Path' + filter_exclude_known_paths: + Details|startswith: + - '%APPDATA%\Microsoft\Templates' + - '%%APPDATA%%\Microsoft\Templates' + - '%APPDATA%\Microsoft\Word\Startup' + - '%%APPDATA%%\Microsoft\Word\Startup' + - 'C:\Program Files (x86)\Microsoft Office\root\Templates\' + - 'C:\Program Files\Microsoft Office (x86)\Templates' + - 'C:\Program Files\Microsoft Office\root\Templates\' + - 'C:\Program Files\Microsoft Office\Templates\' + filter_main_office_click_to_run: + Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + Image|endswith: '\OfficeClickToRun.exe' + filter_main_office_apps: + Image|startswith: + - 'C:\Program Files\Microsoft Office\' + - 'C:\Program Files (x86)\Microsoft Office\' + Image|endswith: + - '\winword.exe' + - '\excel.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_* +falsepositives: + - Other unknown legitimate or custom paths need to be filtered to avoid false positives +level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml new file mode 100644 index 000000000..45f89d1af --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -0,0 +1,29 @@ +title: Office Macros Auto-Enabled +id: 91239011-fe3c-4b54-9f24-15c86bb65913 +related: + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes +status: test +description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. +references: + - https://twitter.com/inversecos/status/1494174785621819397 + - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ + - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ +author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +date: 2020/05/22 +modified: 2023/06/21 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|endswith: '\Security\VBAWarnings' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 846585b37..f41fe4544 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -5,7 +5,7 @@ description: Detects potential PowerShell commands or code within registry run k references: - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html -author: frack113, Florian Roth +author: frack113, Florian Roth (Nextron Systems) date: 2022/03/17 modified: 2023/01/19 tags: