From f4d5238049f61022c53e1de4cb81811a31806195 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 15 Nov 2021 12:30:51 +0100 Subject: [PATCH 1/3] fix: FP --- rules/windows/malware/registry_event_mal_ursnif.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index 312770122..3ebe01950 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -22,6 +22,7 @@ detection: - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\' - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\' - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\' + - '\SOFTWARE\AppDataLow\Software\Microsoft\Edge\' condition: selection and not filter falsepositives: - Unknown From c3ecbc52a92d78d9f848814801bd135801df67e2 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 15 Nov 2021 14:00:05 +0100 Subject: [PATCH 2/3] add Exchange reference to title/description --- .../builtin/win_set_oabvirtualdirectory_externalurl.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml index 4a728edbc..0aec83b3b 100644 --- a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -1,9 +1,10 @@ -title: Set OabVirtualDirectory ExternalUrl Property +title: Exchange Set OabVirtualDirectory ExternalUrl Property id: 9db37458-4df2-46a5-95ab-307e7f29e675 -description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log author: Jose Rodriguez @Cyb3rPandaH status: experimental date: 2021/03/15 +modified: 2021/11/15 references: - https://twitter.com/OTR_Community/status/1371053369071132675 tags: From 42cbe8664b3affb6974553f47c254203d7dab692 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Nov 2021 20:21:20 +0100 Subject: [PATCH 3/3] Update registry_event_mal_ursnif.yml --- rules/windows/malware/registry_event_mal_ursnif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index 3ebe01950..2cfe298b0 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -10,7 +10,7 @@ tags: - attack.t1112 author: megan201296 date: 2019/02/13 -modified: 2021/10/28 +modified: 2021/11/15 logsource: product: windows category: registry_event