Merge pull request #1330 from d4rk-d4nph3/master

Added Stealthy Office Persistence via VSTO

rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml

@@ -0,0 +1,29 @@
+title: Oracle WebLogic Exploit CVE-2021-2109
+id: 687f6504-7f44-4549-91fc-f07bab065821
+status: experimental
+description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 
+author: Bhabesh Raj
+date: 2021/01/20
+references:
+    - https://twitter.com/pyn3rd/status/1351696768065409026
+    - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'GET'
+        c-uri|contains|all:
+            - 'com.bea.console.handles.JndiBindingHandle'
+            - 'ldap://'
+            - 'AdminServer'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.t1190
+    - attack.initial_access
+    - cve.2021-2109

rules/windows/registry_event/sysmon_office_vsto_persistence.yml

@@ -0,0 +1,26 @@
+title: Stealthy VSTO Persistence
+id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
+status: experimental
+description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
+references:
+    - https://twitter.com/_vivami/status/1347925307643355138
+tags:
+    - attack.t1137.006
+    - attack.persistence
+author: Bhabesh Raj
+date: 2021/01/10
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        TargetObject|contains:
+        - '\Software\Microsoft\Office\Outlook\Addins\'
+        - '\Software\Microsoft\Office\Word\Addins\'
+        - '\Software\Microsoft\Office\Excel\Addins\'
+        - '\Software\Microsoft\Office\Powerpoint\Addins\'
+        - '\Software\Microsoft\VSTO\Security\Inclusion\'
+    condition: selection
+falsepositives:
+  - Unknown
+level: high