47 lines
1.5 KiB
YAML
47 lines
1.5 KiB
YAML
title: Stealthy VSTO Persistence
|
|
author: Bhabesh Raj
|
|
date: 2021/01/10
|
|
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins
|
|
in Office applications.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 12
|
|
SELECTION_10:
|
|
Image: '*\msiexec.exe'
|
|
SELECTION_2:
|
|
EventID: 13
|
|
SELECTION_3:
|
|
EventID: 14
|
|
SELECTION_4:
|
|
EventType: SetValue
|
|
SELECTION_5:
|
|
TargetObject: '*\Software\Microsoft\Office\Outlook\Addins\\*'
|
|
SELECTION_6:
|
|
TargetObject: '*\Software\Microsoft\Office\Word\Addins\\*'
|
|
SELECTION_7:
|
|
TargetObject: '*\Software\Microsoft\Office\Excel\Addins\\*'
|
|
SELECTION_8:
|
|
TargetObject: '*\Software\Microsoft\Office\Powerpoint\Addins\\*'
|
|
SELECTION_9:
|
|
TargetObject: '*\Software\Microsoft\VSTO\Security\Inclusion\\*'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
|
|
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)) and not (SELECTION_10))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
|
|
level: high
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
modified: 2021/07/27
|
|
references:
|
|
- https://twitter.com/_vivami/status/1347925307643355138
|
|
- https://vanmieghem.io/stealth-outlook-persistence/
|
|
status: experimental
|
|
tags:
|
|
- attack.t1137.006
|
|
- attack.persistence
|
|
yml_filename: sysmon_office_vsto_persistence.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
|
|
|