Sigma rules for CVE-2008-3014
56 rules · scoped to cve · back to CVE-2008-3014
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1569.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
condition: selection
falsepositives:
- Administrative tasks on remote services
level: high
title: Remote Server Service Abuse
id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
condition: selection
falsepositives:
- Legitimate remote share creation
level: high
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: dns-server
detection:
selection:
EventID:
- 150
- 770
- 771
condition: selection
falsepositives:
- Unknown
level: high
title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration: '/system.webServer/httpLogging/@dontLog'
NewValue: 'true'
condition: selection
falsepositives:
- Unknown
level: high
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 1031
- 1032
- 1034
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
title: Potential AMSI COM Server Hijacking
id: 160d2780-31f7-4922-8b3a-efce30e63e96
status: test
description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
references:
- https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
filter:
Details: '%windir%\system32\amsi.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
condition: selection
falsepositives:
- Unknown
level: high
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.stealth
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
- https://github.com/amidaware/tacticalrmm
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
- attack.command-and-control
- attack.t1219
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\TacticalAgent\tacticalrmm.exe'
CommandLine|contains|all:
- '--api'
- '--auth'
- '--client-id'
- '--site-id'
- '--agent-type'
condition: selection
falsepositives:
- Legitimate system administrator deploying TacticalRMM
level: medium
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
- 'CLIENT: <local machine>'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|endswith: '@logTargetW3C'
OldValue|contains: 'ETW'
filter_main_etw_added:
NewValue|contains: 'ETW'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administrator activity
level: medium
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|contains: '/system.webServer/modules/add'
filter_main_builtin:
NewValue:
- 'AnonymousAuthenticationModule'
- 'CustomErrorModule'
- 'DefaultDocumentModule'
- 'DirectoryListingModule'
- 'FileCacheModule'
- 'HttpCacheModule'
- 'HttpLoggingModule'
- 'ProtocolSupportModule'
- 'RequestFilteringModule'
- 'StaticCompressionModule'
- 'StaticFileModule'
- 'TokenCacheModule'
- 'UriCacheModule'
filter_main_remove:
NewValue: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administrator activity
level: medium
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
- https://winaero.com/enable-openssh-server-windows-10/
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
- attack.lateral-movement
- attack.t1021.004
logsource:
product: windows
service: openssh
detection:
selection:
EventID: 4
process: sshd
payload|startswith: 'Server listening on '
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
- attack.lateral-movement
- attack.t1550.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: "LsaSrv"
EventID:
- 6038
- 6039
condition: selection
falsepositives:
- Environments that use NTLMv1
level: medium
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
- attack.discovery
- attack.t1482
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|startswith: '_ldap.'
filter_main_generic:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\'
filter_main_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_unknown:
Image: '<unknown process>'
filter_optional_azure:
Image|startswith: 'C:\WindowsAzure\GuestAgent'
filter_main_null:
Image: null
filter_optional_browsers:
# Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
# Note: Incrase the level once a baseline is established
level: low
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
condition: selection
falsepositives:
- This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low
title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
- https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
Details:
- 'DWORD (0x00000001)' # Home Page
- 'DWORD (0x00000002)' # Welcome To IE
filter_main_generic:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\ie4uinit.exe'
filter_optional_avira:
Image|contains|all:
- '\Temp\'
- '\.cr\avira_'
Details|contains: 'DWORD (0x00000001)'
filter_optional_foxit:
Image:
- 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
- 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
Details|contains: 'DWORD (0x00000001)'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium
title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
ie:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Internet Explorer'
- '\Software\Microsoft\Internet Explorer'
ie_details:
TargetObject|contains:
- '\Toolbar'
- '\Extensions'
- '\Explorer Bars'
filter_empty:
Details: '(Empty)'
filter_extensions:
TargetObject|contains:
- '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
- '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
- '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
- '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
filter_toolbar:
TargetObject|endswith:
- '\Toolbar\ShellBrowser\ITBar7Layout'
- '\Toolbar\ShowDiscussionButton'
- '\Toolbar\Locked'
condition: ie and ie_details and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
title: Code Executed Via Office Add-in XLL File
id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
status: test
description: |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
author: frack113
date: 2021-12-28
tags:
- attack.persistence
- attack.t1137.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'new-object '
- '-ComObject '
- '.application'
- '.RegisterXLL'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Persistence Via Microsoft Office Add-In
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: test
description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
- Internal Research
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
- https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
author: NVISO
date: 2020-05-11
modified: 2023-02-08
tags:
- attack.persistence
- attack.t1137.006
logsource:
category: file_event
product: windows
detection:
selection_wlldropped:
TargetFilename|contains: '\Microsoft\Word\Startup\'
TargetFilename|endswith: '.wll'
selection_xlldropped:
TargetFilename|contains: '\Microsoft\Excel\Startup\'
TargetFilename|endswith: '.xll'
selection_xladropped:
TargetFilename|contains: 'Microsoft\Excel\XLSTART\'
TargetFilename|endswith: '.xlam'
selection_generic:
TargetFilename|contains: '\Microsoft\Addins\'
TargetFilename|endswith:
- '.xlam'
- '.xla'
- '.ppam'
condition: 1 of selection_*
falsepositives:
- Legitimate add-ins
level: high
title: Potential Persistence Via Microsoft Office Startup Folder
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
status: test
description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
references:
- https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
- https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-06-22
tags:
- attack.persistence
- attack.t1137
logsource:
category: file_event
product: windows
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
selection_word_extension:
TargetFilename|endswith:
- '.doc'
- '.docm'
- '.docx'
- '.dot'
- '.dotm'
- '.rtf'
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
selection_excel_extension:
TargetFilename|endswith:
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
filter_main_office:
Image|endswith:
- '\WINWORD.exe'
- '\EXCEL.exe'
condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
falsepositives:
- Loading a user environment from a backup or a domain controller
- Synchronization of templates
level: high
title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
- attack.t1204.002
- attack.execution
logsource:
product: windows
category: file_event
detection:
# Note: Please add more file extensions to the logic of your choice.
selection1:
Image|endswith:
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
selection2:
TargetFilename|endswith:
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.ocx'
- '.proj'
- '.ps1'
- '.scf'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\WebServiceCache\AllUsers'
TargetFilename|endswith: '.com'
filter_optional_webex:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\BackstageInAppNavCache\'
TargetFilename|endswith: '.com'
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
- Internal Research
- https://twitter.com/Max_Mal_/status/1633863678909874176
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
- https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
# Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
ParentImage|endswith:
- '\explorer.exe'
- '\dopus.exe'
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_trusted_location:
CommandLine|contains:
# Note: these are the default locations. Admins/Users could add additional ones that you need to cover
- '\AppData\Roaming\Microsoft\Templates'
- '\AppData\Roaming\Microsoft\Word\Startup\'
- '\Microsoft Office\root\Templates\'
- '\Microsoft Office\Templates\'
filter_main_dotx:
# Note: We add this filter to avoid curious people clicking on template files
CommandLine|endswith:
- '.dotx'
- '.xltx'
- '.potx'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
- id: 0c79148b-118e-472b-bdb7-9b57b444cc19
type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_http:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Microsoft Office Child Process
id: 438025f9-5856-4663-83f7-52f878a70a50
related:
- id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
type: derived
- id: e1693bc8-7168-4eab-8718-cdcaa68a1738
type: derived
- id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
type: obsolete
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml
- https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
date: 2018-04-06
modified: 2023-04-24
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\EQNEDT32.EXE'
- '\EXCEL.EXE'
- '\MSACCESS.EXE'
- '\MSPUB.exe'
- '\ONENOTE.EXE'
- '\POWERPNT.exe'
- '\VISIO.exe'
- '\WINWORD.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_child_processes:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unknown
level: high
title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
- https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
- attack.g0046
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.exe'
- '\EQNEDT32.exe'
# - '\OUTLOOK.EXE' too many FPs
Image|startswith: 'C:\users\'
Image|endswith: '.exe'
filter:
Image|endswith: '\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: test
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
references:
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2022-08-02
tags:
- attack.command-and-control
- attack.resource-development
- attack.t1105
- attack.t1608
logsource:
product: windows
category: process_creation
detection:
selection_download:
- Image|endswith:
- '\curl.exe'
- '\wget.exe'
- CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'curl '
- 'wget '
- 'Start-BitsTransfer'
- '.DownloadFile('
- '.DownloadString('
selection_domains:
CommandLine|contains:
- 'https://attachment.outlook.live.net/owa/'
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
condition: all of selection_*
falsepositives:
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Renamed Office Binary Execution
id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
status: test
description: Detects the execution of a renamed office binary
references:
- https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2025-12-09
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName:
- 'Excel.exe'
- 'MSACCESS.EXE'
- 'MSPUB.EXE'
- 'OneNote.exe'
- 'OneNoteM.exe'
- 'OUTLOOK.EXE'
- 'POWERPNT.EXE'
- 'WinWord.exe'
- 'Olk.exe'
- Description:
- 'Microsoft Access'
- 'Microsoft Excel'
- 'Microsoft OneNote'
- 'Microsoft Outlook'
- 'Microsoft PowerPoint'
- 'Microsoft Publisher'
- 'Microsoft Word'
- 'Sent to OneNote Tool'
filter_main_legit_names:
Image|endswith:
- '\EXCEL.exe'
- '\excelcnv.exe'
- '\MSACCESS.exe'
- '\MSPUB.EXE'
- '\ONENOTE.EXE'
- '\ONENOTEM.EXE'
- '\OUTLOOK.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- '\OLK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\outllib.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith:
- '\VBE7.DLL'
- '\VBEUI.DLL'
- '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2024-03-19
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\VBAWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
title: Microsoft Office Protected View Disabled
id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
related:
- id: 7c637634-c95d-4bbf-b26c-a82510874b34
type: obsolete
status: test
description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
- https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_path:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Security\ProtectedView\'
selection_values_1:
Details: 'DWORD (0x00000001)'
TargetObject|endswith:
- '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
- '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
- '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
- '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
selection_values_0:
Details: 'DWORD (0x00000000)'
TargetObject|endswith:
- '\enabledatabasefileprotectedview'
- '\enableforeigntextfileprotectedview'
condition: selection_path and 1 of selection_values_*
falsepositives:
- Unlikely
level: high
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
title: Office Application Initiated Network Connection To Non-Local IP
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: test
description: |
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
references:
- https://corelight.com/blog/detecting-cve-2021-42292
- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-17
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange_generic:
DestinationIp|cidr:
- '2.16.56.0/23' # Akamai International B.V.
- '2.17.248.0/21' # Akamai International B.V.
- '13.107.240.0/21' # Microsoft Corporation
- '20.184.0.0/13' # Microsoft Corporation
- '23.61.224.0/20' # Akamai-AS
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '23.3.88.0/22' # Akamai-AS
- '23.216.132.0/22' # Akamai-AS
- '40.76.0.0/14' # Microsoft Corporation
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
- '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
- '95.101.96.0/21' # Akamai-As
- '204.79.197.0/24' # Microsoft Corporation
filter_main_msrange_exchange_1:
# Exchange Online
# "urls": [
# "outlook.cloud.microsoft",
# "outlook.office.com",
# "outlook.office365.com"
# ]
DestinationIp|cidr:
- '13.107.4.0/22'
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.42.0/23'
- '13.107.128.0/22'
- '23.35.224.0/20'
- '23.53.40.0/22'
- '23.103.160.0/20'
- '23.216.76.0/22'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 80
- 443
filter_main_msrange_exchange_2:
# Exchange Online
# "urls": [
# "outlook.office365.com",
# "smtp.office365.com"
# ]
DestinationIp|cidr:
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.128.0/22'
- '23.103.160.0/20'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 143
- 587
- 993
- 995
Protocol: 'tcp'
filter_main_msrange_exchange_3:
# Exchange Online
# "urls": [
# "*.protection.outlook.com"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 443
filter_main_msrange_exchange_4:
# Exchange Online
# "urls": [
# "*.mail.protection.outlook.com",
# "*.mx.microsoft"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 25
filter_main_msrange_sharepoint_1:
# SharePoint Online and OneDrive for Business",
# "urls": [
# "*.sharepoint.com"
# ]
DestinationIp|cidr:
- '13.107.136.0/22'
- '40.108.128.0/17'
- '52.104.0.0/14'
- '104.146.128.0/17'
- '150.171.40.0/22'
- '2603:1061:1300::/40'
- '2620:1ec:8f8::/46'
- '2620:1ec:908::/46'
- '2a01:111:f402::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_1:
# Microsoft 365 Common and Office Online",
# "urls": [
# "*.officeapps.live.com",
# "*.online.office.com",
# "office.live.com",
# "office.com.akadns.net"
# ],
DestinationIp|cidr:
- '13.107.6.171/32'
- '13.107.18.15/32'
- '13.107.140.6/32'
- '20.64.0.0/10'
- '52.108.0.0/14'
- '52.244.37.168/32'
- '2603:1006:1400::/40'
- '2603:1016:2400::/40'
- '2603:1026:2400::/40'
- '2603:1036:2400::/40'
- '2603:1046:1400::/40'
- '2603:1056:1400::/40'
- '2603:1063:2000::/38'
- '2620:1ec:c::15/128'
- '2620:1ec:8fc::6/128'
- '2620:1ec:a92::171/128'
- '2a01:111:f100:2000::a83e:3019/128'
- '2a01:111:f100:2002::8975:2d79/128'
- '2a01:111:f100:2002::8975:2da8/128'
- '2a01:111:f100:7000::6fdd:6cd5/128'
- '2a01:111:f100:a004::bfeb:88cf/128'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_2:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.auth.microsoft.com",
# "*.msftidentity.com",
# "*.msidentity.com",
# "account.activedirectory.windowsazure.com",
# "accounts.accesscontrol.windows.net",
# "adminwebservice.microsoftonline.com",
# "api.passwordreset.microsoftonline.com",
# "autologon.microsoftazuread-sso.com",
# "becws.microsoftonline.com",
# "ccs.login.microsoftonline.com",
# "clientconfig.microsoftonline-p.net",
# "cloudapp.azure.com",
# "companymanager.microsoftonline.com",
# "device.login.microsoftonline.com",
# "graph.microsoft.com",
# "graph.windows.net",
# "login-us.microsoftonline.com",
# "login.microsoft.com",
# "login.microsoftonline-p.com",
# "login.microsoftonline.com",
# "login.windows.net",
# "logincert.microsoftonline.com",
# "loginex.microsoftonline.com",
# "nexus.microsoftonline-p.com",
# "passwordreset.microsoftonline.com",
# "provisioningapi.microsoftonline.com",
# "web.core.windows.net",
# ]
DestinationIp|cidr:
- '172.128.0.0/10'
- '20.20.32.0/19'
- '20.103.156.88/32' # msn.com
- '20.190.128.0/18'
- '20.231.128.0/19'
- '40.126.0.0/18'
- '57.150.0.0/15'
- '2603:1006:2000::/48'
- '2603:1007:200::/48'
- '2603:1016:1400::/48'
- '2603:1017::/48'
- '2603:1026:3000::/48'
- '2603:1027:1::/48'
- '2603:1036:3000::/48'
- '2603:1037:1::/48'
- '2603:1046:2000::/48'
- '2603:1047:1::/48'
- '2603:1056:2000::/48'
- '2603:1057:2::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_3:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.compliance.microsoft.com",
# "*.data.microsoft.com",
# "*.protection.office.com",
# "*.security.microsoft.com",
# "compliance.microsoft.com",
# "defender.microsoft.com",
# "protection.office.com",
# "security.microsoft.com",
# "teams.microsoft.com",
# ]
DestinationIp|cidr:
- '13.64.0.0/11'
- '13.107.6.192/32'
- '13.107.9.192/32'
- '13.89.179.14/32'
- '20.40.0.0/14'
- '20.48.0.0/12'
- '20.64.0.0/12'
- '52.123.0.0/16'
- '52.108.0.0/14'
- '52.136.0.0/13'
- '57.150.0.0/15'
- '80.239.150.67/32' # Arelion Sweden AB
- '2620:1ec:4::192/128'
- '2620:1ec:a92::192/128'
DestinationPort: 443
Protocol: 'tcp'
filter_main_destination_host:
DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
DestinationPort: 443
Protocol: 'tcp'
condition: selection and not 1 of filter_main_*
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
- Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
- It is highly recommended to baseline your activity and tune out common business use cases.
level: medium
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
filter_main_common_ports:
DestinationPort:
- 53 # DNS
- 80 # HTTP
- 139 # NETBIOS
- 389 # LDAP
- 443 # HTTPS
- 445 # SMB
- 3268 # MSFT-GC
filter_main_outlook_ports:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
DestinationPort:
- 143
- 465 # SMTP
- 587 # SMTP
- 993 # IMAP
- 995 # POP3
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
- attack.stealth
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
condition: selection
falsepositives:
- Unknown
level: medium
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium