valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
56d200bad0
SigmaHQ/rules/windows/registry_event/sysmon_office_vsto_persistence.yml

29 lines
910 B
YAML
Raw Normal View History

Added Stealthy Office Persistence via VSTO
2021-01-10 12:09:17 +00:00
title: Stealthy VSTO Persistence
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: experimental
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
tags:
- attack.t1137.006
- attack.persistence
author: Bhabesh Raj
date: 2021/01/10
fix: rule FPs with Stealthy VSTO Persistence
2021-06-01 11:58:35 +00:00
modified: 2021/06/01
Added Stealthy Office Persistence via VSTO
2021-01-10 12:09:17 +00:00
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
fix: rule FPs with Stealthy VSTO Persistence
2021-06-01 11:58:35 +00:00
filter:
Image|endswith: '\msiexec.exe'
condition: selection and not filter
Added Stealthy Office Persistence via VSTO
2021-01-10 12:09:17 +00:00
falsepositives:
- Unknown
level: high
Reference in New Issue Copy Permalink