From 4b648c0808dfa8c79bcf484154705a9377de96b6 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sun, 14 Jan 2024 21:13:13 +0100 Subject: [PATCH] Suspicious Office template created rule Detects when attackers drop macro-enabled files in specific folders to trigger their execution every time the victim user opens an Office application. --- ...ence_boot_or_logon_autostart_execution.yml | 64 +++++++++---------- ...persistence_office_application_startup.yml | 50 +++++++++++++++ 2 files changed, 82 insertions(+), 32 deletions(-) create mode 100644 rules/persistence_office_application_startup.yml diff --git a/rules/persistence_boot_or_logon_autostart_execution.yml b/rules/persistence_boot_or_logon_autostart_execution.yml index 20fdd0cb4..f61dedb56 100644 --- a/rules/persistence_boot_or_logon_autostart_execution.yml +++ b/rules/persistence_boot_or_logon_autostart_execution.yml @@ -24,23 +24,23 @@ condition: > create_file and - ( - file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') - or - (file.is_exec or file.is_dll) - ) + ( + file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') + or + (file.is_exec or file.is_dll) + ) and file.name imatches startup_locations and not ps.exe imatches - ( - '?:\\Windows\\System32\\wuauclt.exe', - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Windows\\SysWOW64\\msiexec.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*.exe' - ) + ( + '?:\\Windows\\System32\\wuauclt.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\SysWOW64\\msiexec.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*.exe' + ) min-engine-version: 2.0.0 - name: Unusual process modified the registry run key description: | @@ -55,26 +55,26 @@ and not ps.exe imatches - ( - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\SysWOW64\\msiexec.exe', - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Windows\\System32\\drvinst.exe', - '?:\\Windows\\System32\\WinSAT.exe', - '?:\\Windows\\System32\\reg.exe', - '?:\\Windows\\regedit.exe', - '?:\\Windows\\SysWOW64\\reg.exe', - '?:\\Windows\\System32\\csrss.exe', - '?:\\Windows\\SysWOW64\\DriverStore\\*.exe', - '?:\\Windows\\System32\\DriverStore\\*.exe', - '?:\\Windows\\Installer\\*.exe', - '?:\\Windows\\explorer.exe', - '?:\\Windows\\IMECache\\*.exe', - '?:\\Windows\\System32\\sihost.exe', - '?:\\Windows\\SysWOW64\\prevhost.exe', - '?:\\Windows\\System32\\conhost.exe', - '?:\\Windows\\System32\\taskhostw.exe' - ) + ( + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\SysWOW64\\msiexec.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\System32\\drvinst.exe', + '?:\\Windows\\System32\\WinSAT.exe', + '?:\\Windows\\System32\\reg.exe', + '?:\\Windows\\regedit.exe', + '?:\\Windows\\SysWOW64\\reg.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\SysWOW64\\DriverStore\\*.exe', + '?:\\Windows\\System32\\DriverStore\\*.exe', + '?:\\Windows\\Installer\\*.exe', + '?:\\Windows\\explorer.exe', + '?:\\Windows\\IMECache\\*.exe', + '?:\\Windows\\System32\\sihost.exe', + '?:\\Windows\\SysWOW64\\prevhost.exe', + '?:\\Windows\\System32\\conhost.exe', + '?:\\Windows\\System32\\taskhostw.exe' + ) min-engine-version: 2.0.0 - name: Network connection via startup folder executable or script description: | diff --git a/rules/persistence_office_application_startup.yml b/rules/persistence_office_application_startup.yml new file mode 100644 index 000000000..4fb0b34cc --- /dev/null +++ b/rules/persistence_office_application_startup.yml @@ -0,0 +1,50 @@ +- group: Office Template Macros + description: | + Adversaries may abuse Microsoft Office templates to obtain + persistence on a compromised system. Microsoft Office contains + templates that are part of common Office applications and are + used to customize styles. The base templates within + the application are used each time an application starts. + Office Visual Basic for Applications (VBA) macros can be + inserted into the base template and used to execute code + when the respective Office application starts in order to + obtain persistence. Examples for both Word and Excel have + been discovered and published. + By default, Word has a Normal.dotm template created that + can be modified to include a malicious macro. + Excel does not have a template file created by default, but + one can be added that will automatically be loaded. Shared + templates may also be stored and pulled from remote locations. + labels: + tactic.id: TA0006 + tactic.name: Persistence + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.id: T1137 + technique.name: Office Application Startup + technique.ref: https://attack.mitre.org/techniques/T1137/ + subtechnique.id: T1137.001 + subtechnique.name: Office Template Macros + subtechnique.ref: https://attack.mitre.org/techniques/T1137/001/ + rules: + - name: Suspicious Office template created + description: | + Detects when attackers drop macro-enabled files in specific + folders to trigger their execution every time the victim user + opens an Office application. + condition: > + create_file + and + file.name imatches + ( + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\*.dotm', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*.otm' + ) + and + not + ps.name iin msoffice_binaries + output: > + %file.name Office template written by unusual %ps.exe process + min-engine-version: 2.0.0