security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d08ff35222c191598e784dc656b2b91ef979bd92
blue-team-tools/rules/windows/sysmon/sysmon_office_persistence.yml
T
Lep 8b6bd45b0b rules for APT32
2019-08-28 10:12:01 +07:00

40 lines
1.2 KiB
YAML
Raw Blame History

title: Microsoft Office Persistence
status: experimental
description: Detect some kinds of persistence techniques using Office Startup
author: Lep
references:
- https://attack.mitre.org/techniques/T1137/
- https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
date: 2019/08/20
tags:
- attack.persistence
- attack.t1137
- attack.g0050
logsource:
service: sysmon
product: windows
detection:
template_macro:
EventID: 11
TargetFilename:
- '*\AppData\Roaming\Microsoft\Templates\Normal.dotm'
- '*\AppData\Roaming\Microsoft\Excel*'
office_test:
EventID: 13
TargetObject: 'HKCU\Software\Microsoft\Office test\Special\Perf*'
enable_macros:
EventID: 13
TargetObject:
- 'HKCU\Software\Microsoft\Office\*\Outlook*'
- 'HKCU\Software\Microsoft\Office\*\Excel\Options*'
addins:
EventID: 13
TargetObject:
- 'HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\*'
- 'HKCU\Software\Microsoft\Office\*\PowerPoint\AddIns'
- 'HKCU\Software\Microsoft\Office\*\Addins\<AddInName>'
condition: template_macro or office_test or addins or enable_macros
falsepositives:
- Office usage
level: low
Reference in New Issue View Git Blame Copy Permalink