Files
hayabusa/rules/Sigma/sysmon_office_vsto_persistence.yml
2021-11-14 11:00:56 +09:00

47 lines
1.5 KiB
YAML

title: Stealthy VSTO Persistence
author: Bhabesh Raj
date: 2021/01/10
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins
in Office applications.
detection:
SELECTION_1:
EventID: 12
SELECTION_10:
Image: '*\msiexec.exe'
SELECTION_2:
EventID: 13
SELECTION_3:
EventID: 14
SELECTION_4:
EventType: SetValue
SELECTION_5:
TargetObject: '*\Software\Microsoft\Office\Outlook\Addins\\*'
SELECTION_6:
TargetObject: '*\Software\Microsoft\Office\Word\Addins\\*'
SELECTION_7:
TargetObject: '*\Software\Microsoft\Office\Excel\Addins\\*'
SELECTION_8:
TargetObject: '*\Software\Microsoft\Office\Powerpoint\Addins\\*'
SELECTION_9:
TargetObject: '*\Software\Microsoft\VSTO\Security\Inclusion\\*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)) and not (SELECTION_10))
falsepositives:
- Unknown
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
level: high
logsource:
category: registry_event
product: windows
modified: 2021/07/27
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
status: experimental
tags:
- attack.t1137.006
- attack.persistence
yml_filename: sysmon_office_vsto_persistence.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event