feat: new rules & updates

rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml → deprecated/windows/registry_set_disable_microsoft_office_security_features.yml

@@ -1,14 +1,14 @@
 title: Disable Microsoft Office Security Features
 id: 7c637634-c95d-4bbf-b26c-a82510874b34
-status: test
+status: deprecated
 description: Disable Microsoft Office Security Features by registry
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
     - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
     - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
 author: frack113
 date: 2021/06/08
-modified: 2022/03/26
+modified: 2023/06/21
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/windows/registry/registry_set/registry_set_office_security.yml → deprecated/windows/registry_set_office_security.yml

@@ -1,14 +1,14 @@
 title: Office Security Settings Changed
 id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
-status: experimental
+status: deprecated
 description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
 references:
     - https://twitter.com/inversecos/status/1494174785621819397
     - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
     - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2022/06/26
+modified: 2023/06/21
 tags:
     - attack.defense_evasion
     - attack.t1112

rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml → rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
 author: Florian Roth (Nextron Systems), Sittikorn S
 date: 2021/09/10
-modified: 2022/06/17
+modified: 2023/06/22
 tags:
     - attack.resource_development
     - attack.t1587
@@ -17,20 +17,18 @@ logsource:
 detection:
     selection_cab:
         Image|endswith: '\winword.exe'
-        TargetFilename|endswith: '.cab'
         TargetFilename|contains: '\Windows\INetCache'
+        TargetFilename|endswith: '.cab'
     selection_inf:
         Image|endswith: '\winword.exe'
         TargetFilename|contains|all:
             - '\AppData\Local\Temp\'
             - '.inf'
-    filter_legit:
+    filter_main_legit:
         TargetFilename|startswith: 'C:\Users\'
         TargetFilename|contains: 'AppData\Local\Temp'
         TargetFilename|endswith: '\Content.inf'
-    condition: (selection_cab or selection_inf) and not filter_legit
-fields:
-    - TargetFilename
+    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high

rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml

@@ -0,0 +1,27 @@
+title: Microsoft Office Trusted Location Updated
+id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
+related:
+    - id: f742bde7-9528-42e5-bd82-84f51a8387d2
+      type: similar
+status: experimental
+description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
+references:
+    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/21
+tags:
+    - attack.defense_evasion
+    - attack.t1112
+    - detection.threat_hunting
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: Setvalue
+        TargetObject|contains: 'Security\Trusted Locations\Location'
+        TargetObject|endswith: '\Path'
+    condition: selection
+falsepositives:
+    - During office installations or setup, trusted locations are added, which will trigger this rule.
+level: medium

rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/20
-modified: 2023/06/06
+modified: 2023/06/20
 tags:
     - attack.execution
 logsource:
@@ -97,6 +97,10 @@ detection:
         ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
         RequestedPolicy: 8
         ValidatedPolicy: 1
+    filter_optional_trend_micro:
+        FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
+        RequestedPolicy: 8
+        ValidatedPolicy: 1
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products. Apply additional filters accordingly

rules/windows/builtin/security/win_security_disable_event_auditing.yml

@@ -0,0 +1,52 @@
+title: Windows Event Auditing Disabled
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+related:
+    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
+      type: derived
+status: test
+description: |
+    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
+    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
+    Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
+    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
+references:
+    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
+author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
+date: 2017/11/19
+modified: 2021/11/27
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    product: windows
+    service: security
+    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
+detection:
+    selection:
+        EventID: 4719
+        AuditPolicyChanges|contains:
+            - '%%8448' # This is "Success removed"
+            - '%%8450' # This is "Failure removed"
+    filter_main_guid:
+        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
+        SubcategoryGuid:
+            # Note: Add or remove GUID as you see fit in your env
+            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
+            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
+            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
+            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
+            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
+            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
+            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
+            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
+            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
+            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
+            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
+            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
+            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
+            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
+            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
+    condition: selection and not filter_main_guid
+falsepositives:
+    - Unknown
+level: medium

rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml

@@ -0,0 +1,49 @@
+title: Important Windows Event Auditing Disabled
+id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
+related:
+    - id: 69aeb277-f15f-4d2d-b32a-55e883609563
+      type: derived
+status: test
+description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
+references:
+    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
+    - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/20
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    product: windows
+    service: security
+    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
+detection:
+    selection_state_success_and_failure:
+        EventID: 4719
+        SubcategoryGuid:
+            # Note: Add or remove GUID as you see fit in your env
+            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
+            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
+            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
+            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
+            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
+            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
+            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
+            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
+            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
+            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
+            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
+            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
+            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
+            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
+        AuditPolicyChanges|contains:
+            - '%%8448' # This is "Success removed"
+            - '%%8450' # This is "Failure removed"
+    selection_state_success_only:
+        EventID: 4719
+        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
+        AuditPolicyChanges|contains: '%%8448'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/file/file_event/file_event_win_office_startup_persistence.yml

@@ -0,0 +1,53 @@
+title: Potential Persistence Via Microsoft Office Startup Folder
+id: 0e20c89d-2264-44ae-8238-aeeaba609ece
+status: test
+description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
+references:
+    - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
+    - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
+author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2022/06/02
+modified: 2023/06/22
+tags:
+    - attack.persistence
+    - attack.t1137
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_word_paths:
+        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
+        - TargetFilename|contains|all:
+            - '\Office'
+            - '\Program Files'
+            - '\STARTUP'
+    selection_word_extension:
+        TargetFilename|endswith:
+            - '.doc'
+            - '.docm'
+            - '.docx'
+            - '.dot'
+            - '.dotm'
+            - '.rtf'
+    selection_excel_paths:
+        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
+        - TargetFilename|contains|all:
+            - '\Office'
+            - '\Program Files'
+            - '\XLSTART'
+    selection_excel_extension:
+        TargetFilename|endswith:
+            - '.xls'
+            - '.xlsm'
+            - '.xlsx'
+            - '.xlt'
+            - '.xltm'
+    filter_main_office:
+        Image|endswith:
+            - '\WINWORD.exe'
+            - '\EXCEL.exe'
+    condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
+falsepositives:
+    - Loading a user environment from a backup or a domain controller
+    - Synchronization of templates
+level: high

rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml → rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml

@@ -1,13 +1,13 @@
-title: Created Files by Office Applications
+title: File With Uncommon Extension Created By An Office Application
 id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
 status: experimental
-description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
+description: Detects the creation of files with an executable or script extension by an Office application.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
 date: 2021/08/23
-modified: 2022/07/11
+modified: 2023/06/22
 tags:
     - attack.t1204.002
     - attack.execution
@@ -18,37 +18,46 @@ detection:
     #useful_information: Please add more file extensions to the logic of your choice.
     selection1:
         Image|endswith:
-            - '\winword.exe'
             - '\excel.exe'
+            - '\msaccess.exe'
+            - '\mspub.exe'
             - '\powerpnt.exe'
+            - '\visio.exe'
+            - '\winword.exe'
     selection2:
         TargetFilename|endswith:
-            - '.exe'
+            - '.bat'
+            - '.cmd'
+            - '.com'
             - '.dll'
+            - '.exe'
+            - '.hta'
             - '.ocx'
-            - '.com'
+            - '.proj'
             - '.ps1'
-            - '.vbs'
-            - '.sys'
-            - '.bat'
+            - '.scf'
             - '.scr'
-            - '.proj'
-    filter_webservicecache: # matches e.g. directory with name *.microsoft.com
+            - '.sys'
+            - '.vbe'
+            - '.vbs'
+            - '.wsf'
+            - '.wsh'
+    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
         TargetFilename|contains|all:
             - 'C:\Users\'
             - '\AppData\Local\Microsoft\Office\'
             - '\WebServiceCache\AllUsers'
         TargetFilename|endswith: '.com'
-    filter_webex:
+    filter_optional_webex:
         Image|endswith: '\winword.exe'
         TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
         TargetFilename|endswith:
             - '.dll'
             - '.exe'
-    filter_localassembly:
+    filter_main_localassembly:
         TargetFilename|contains: '\AppData\Local\assembly\tmp\'
         TargetFilename|endswith: '.dll'
-    condition: all of selection* and not 1 of filter_*
+    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high