-
-
Notifications
You must be signed in to change notification settings - Fork 194
/
Copy pathpersistence_suspicious_microsoft_office_template.yml
46 lines (43 loc) · 1.42 KB
/
persistence_suspicious_microsoft_office_template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Suspicious Microsoft Office template
id: c4be3b30-9d23-4a33-b974-fb12e17487a2
version: 1.0.1
description: |
Detects when attackers drop macro-enabled files in specific
folders to trigger their execution every time the victim user
opens an Office application.
labels:
tactic.id: TA0006
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1137
technique.name: Office Application Startup
technique.ref: https://attack.mitre.org/techniques/T1137/
subtechnique.id: T1137.001
subtechnique.name: Office Template Macros
subtechnique.ref: https://attack.mitre.org/techniques/T1137/001/
references:
- https://cyberint.com/blog/research/office-templates-and-globaldotname-a-stealthy-office-persistence-technique/
condition: >
create_file
and
file.path imatches
(
'?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*',
'?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\*.dotm',
'?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*',
'?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*',
'?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*.otm'
)
and
not
ps.name iin msoffice_binaries
and
not
ps.exe imatches
(
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe'
)
output: >
Office template %file.path created by suspicious process %ps.exe
min-engine-version: 2.4.0