-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
42 changed files
with
867 additions
and
312 deletions.
There are no files selected for viewing
File renamed without changes.
4 changes: 2 additions & 2 deletions
4
...le_microsoft_office_security_features.yml → ...le_microsoft_office_security_features.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
...stry_set/registry_set_office_security.yml → .../windows/registry_set_office_security.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: Microsoft Office Trusted Location Updated | ||
id: a0bed973-45fa-4625-adb5-6ecdf9be70ac | ||
related: | ||
- id: f742bde7-9528-42e5-bd82-84f51a8387d2 | ||
type: similar | ||
status: experimental | ||
description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. | ||
references: | ||
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/06/21 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1112 | ||
- detection.threat_hunting | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
selection: | ||
EventType: Setvalue | ||
TargetObject|contains: 'Security\Trusted Locations\Location' | ||
TargetObject|endswith: '\Path' | ||
condition: selection | ||
falsepositives: | ||
- During office installations or setup, trusted locations are added, which will trigger this rule. | ||
level: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
rules/windows/builtin/security/win_security_disable_event_auditing.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
title: Windows Event Auditing Disabled | ||
id: 69aeb277-f15f-4d2d-b32a-55e883609563 | ||
related: | ||
- id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 | ||
type: derived | ||
status: test | ||
description: | | ||
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. | ||
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. | ||
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". | ||
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. | ||
references: | ||
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit | ||
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' | ||
date: 2017/11/19 | ||
modified: 2021/11/27 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1562.002 | ||
logsource: | ||
product: windows | ||
service: security | ||
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64 | ||
detection: | ||
selection: | ||
EventID: 4719 | ||
AuditPolicyChanges|contains: | ||
- '%%8448' # This is "Success removed" | ||
- '%%8450' # This is "Failure removed" | ||
filter_main_guid: | ||
# Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 | ||
SubcategoryGuid: | ||
# Note: Add or remove GUID as you see fit in your env | ||
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon | ||
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation | ||
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations | ||
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change | ||
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension | ||
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity | ||
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon | ||
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change | ||
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change | ||
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management | ||
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management | ||
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management | ||
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation | ||
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service' | ||
- '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout | ||
condition: selection and not filter_main_guid | ||
falsepositives: | ||
- Unknown | ||
level: medium |
49 changes: 49 additions & 0 deletions
49
rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
title: Important Windows Event Auditing Disabled | ||
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 | ||
related: | ||
- id: 69aeb277-f15f-4d2d-b32a-55e883609563 | ||
type: derived | ||
status: test | ||
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. | ||
references: | ||
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit | ||
- https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/06/20 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1562.002 | ||
logsource: | ||
product: windows | ||
service: security | ||
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64 | ||
detection: | ||
selection_state_success_and_failure: | ||
EventID: 4719 | ||
SubcategoryGuid: | ||
# Note: Add or remove GUID as you see fit in your env | ||
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon | ||
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation | ||
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations | ||
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change | ||
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension | ||
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity | ||
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon | ||
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change | ||
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change | ||
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management | ||
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management | ||
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management | ||
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation | ||
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service | ||
AuditPolicyChanges|contains: | ||
- '%%8448' # This is "Success removed" | ||
- '%%8450' # This is "Failure removed" | ||
selection_state_success_only: | ||
EventID: 4719 | ||
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout | ||
AuditPolicyChanges|contains: '%%8448' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unlikely | ||
level: high |
30 changes: 0 additions & 30 deletions
30
rules/windows/builtin/security/win_security_disable_event_logging.yml
This file was deleted.
Oops, something went wrong.
53 changes: 53 additions & 0 deletions
53
rules/windows/file/file_event/file_event_win_office_startup_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
title: Potential Persistence Via Microsoft Office Startup Folder | ||
id: 0e20c89d-2264-44ae-8238-aeeaba609ece | ||
status: test | ||
description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. | ||
references: | ||
- https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies | ||
- https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders | ||
author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | ||
date: 2022/06/02 | ||
modified: 2023/06/22 | ||
tags: | ||
- attack.persistence | ||
- attack.t1137 | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
selection_word_paths: | ||
- TargetFilename|contains: '\Microsoft\Word\STARTUP' | ||
- TargetFilename|contains|all: | ||
- '\Office' | ||
- '\Program Files' | ||
- '\STARTUP' | ||
selection_word_extension: | ||
TargetFilename|endswith: | ||
- '.doc' | ||
- '.docm' | ||
- '.docx' | ||
- '.dot' | ||
- '.dotm' | ||
- '.rtf' | ||
selection_excel_paths: | ||
- TargetFilename|contains: '\Microsoft\Excel\XLSTART' | ||
- TargetFilename|contains|all: | ||
- '\Office' | ||
- '\Program Files' | ||
- '\XLSTART' | ||
selection_excel_extension: | ||
TargetFilename|endswith: | ||
- '.xls' | ||
- '.xlsm' | ||
- '.xlsx' | ||
- '.xlt' | ||
- '.xltm' | ||
filter_main_office: | ||
Image|endswith: | ||
- '\WINWORD.exe' | ||
- '\EXCEL.exe' | ||
condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office | ||
falsepositives: | ||
- Loading a user environment from a backup or a domain controller | ||
- Synchronization of templates | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.