From fadb8891164cb2b6bf5230379eda1b468a67525e Mon Sep 17 00:00:00 2001 From: Scoubi Date: Tue, 20 Apr 2021 20:38:20 -0400 Subject: [PATCH 1/4] Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) --- .../other/win_Outlook_C2_Macro_Creation.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/other/win_Outlook_C2_Macro_Creation.yml diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml new file mode 100644 index 000000000..f2010edaf --- /dev/null +++ b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml @@ -0,0 +1,25 @@ +title: BEC - Outlook C2 Registry Key +id: e3b50fa5-3c3f-444e-937b-0a99d33731cd +status: experimental +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_Outlook_C2_Macro_Creation.yml and is particularly interesting if both events occur near to each other. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - attack.command_and_control + -attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: registry_event + product: windows +detection: + selection_registry: + TargetObject: + - 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' + condition: selection_registry +falsepositives: + - Unlikely +level: medium From 0b7ed7e690a1e124bbd9389d37484125ef6e13e8 Mon Sep 17 00:00:00 2001 From: Scoubi Date: Tue, 20 Apr 2021 20:50:20 -0400 Subject: [PATCH 2/4] Add a space There was a missing space in `-attack` changed for `- attack` --- rules/windows/other/win_Outlook_C2_Macro_Creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml index f2010edaf..0bf6930a0 100644 --- a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml +++ b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml @@ -8,7 +8,7 @@ author: '@ScoubiMtl' tags: - attack.persistence - attack.command_and_control - -attack.t1137 + - attack.t1137 - attack.t1008 - attack.t1546 date: 2021/04/05 From 23791664eb02d226f13f258a54437ca7b79336f7 Mon Sep 17 00:00:00 2001 From: Scoubi Date: Wed, 21 Apr 2021 08:45:15 -0400 Subject: [PATCH 3/4] Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml Gave the wrong name to the file, this is the correct one. --- ...look_C2_Macro_Creation.yml => win_Outlook_C2_Registry_Key.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/other/{win_Outlook_C2_Macro_Creation.yml => win_Outlook_C2_Registry_Key.yml} (100%) diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Registry_Key.yml similarity index 100% rename from rules/windows/other/win_Outlook_C2_Macro_Creation.yml rename to rules/windows/other/win_Outlook_C2_Registry_Key.yml From 4ad3316d742e3cd1c9c0a861987496815fe18ed2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 May 2021 09:41:38 +0200 Subject: [PATCH 4/4] Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml --- .../win_outlook_C2_registry_key.yml} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename rules/windows/{other/win_Outlook_C2_Registry_Key.yml => registry_event_write/win_outlook_C2_registry_key.yml} (62%) diff --git a/rules/windows/other/win_Outlook_C2_Registry_Key.yml b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml similarity index 62% rename from rules/windows/other/win_Outlook_C2_Registry_Key.yml rename to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml index 0bf6930a0..e30550167 100644 --- a/rules/windows/other/win_Outlook_C2_Registry_Key.yml +++ b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml @@ -1,7 +1,7 @@ -title: BEC - Outlook C2 Registry Key +title: Outlook C2 Registry Key id: e3b50fa5-3c3f-444e-937b-0a99d33731cd status: experimental -description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_Outlook_C2_Macro_Creation.yml and is particularly interesting if both events occur near to each other. +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' @@ -13,12 +13,12 @@ tags: - attack.t1546 date: 2021/04/05 logsource: - category: registry_event + category: registry_event_write product: windows detection: selection_registry: - TargetObject: - - 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' + TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + Details|contains: '0x00000001' condition: selection_registry falsepositives: - Unlikely