Sigma rules · CVE-2016-0139 · threatengine.sh

Home/CVE-2016-0139/Sigma rules

Sigma

Sigma rules for CVE-2016-0139

5 rules · scoped to cve · back to CVE-2016-0139

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

5 of 5

direct high

Python Function Execution Security Warning Disabled In Excel

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

status test author @Kostastsale id 023c654f-8f16-44d9-bb2b-00ff36a62af9 license Sigma · DRL-1.1

view Sigma YAML

title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
    - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\Microsoft\Office\'
            - '\Excel\Security'
            - 'PythonFunctionWarnings'
        CommandLine|contains: ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

direct high

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

status test author Aaron Stratton id 551d9c1f-816c-445b-a7a6-7a3864720d60 license Sigma · DRL-1.1

view Sigma YAML

title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
id: 551d9c1f-816c-445b-a7a6-7a3864720d60
status: test
description: |
    Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
references:
    - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
    - https://github.com/grayhatkiller/SharpExShell
    - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
author: Aaron Stratton
date: 2023-11-13
tags:
    - attack.t1021.003
    - attack.lateral-movement
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\excel.exe'
    selection_child:
        - OriginalFileName:
          - 'foxprow.exe'
          - 'schdplus.exe'
          - 'winproj.exe'
        - Image|endswith:
          - '\foxprow.exe'
          - '\schdplus.exe'
          - '\winproj.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

direct high

Potential Persistence Via Excel Add-in - Registry

Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.

status test author frack113 id 961e33d1-4f86-4fcf-80ab-930a708b2f82 license Sigma · DRL-1.1

view Sigma YAML

title: Potential Persistence Via Excel Add-in - Registry
id: 961e33d1-4f86-4fcf-80ab-930a708b2f82
status: test
description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
author: frack113
date: 2023-01-15
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137.006
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Office\'
        TargetObject|endswith: '\Excel\Options'
        Details|startswith: '/R '
        Details|endswith: '.xll'
    condition: selection
falsepositives:
    - Unknown
level: high

direct high

Python Function Execution Security Warning Disabled In Excel - Registry

status test author Nasreddine Bencherchali (Nextron Systems), @Kostastsale id 17e53739-a1fc-4a62-b1b9-87711c2d5e44 license Sigma · DRL-1.1

view Sigma YAML

title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
    - id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Office\'
        TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

direct medium

Microsoft Excel Add-In Loaded From Uncommon Location

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

status test author Nasreddine Bencherchali (Nextron Systems) id af4c4609-5755-42fe-8075-4effb49f5d44 license Sigma · DRL-1.1

view Sigma YAML

title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
      type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin