2021-03-15 04:33:47 +00:00
|
|
|
title: Set OabVirtualDirectory ExternalUrl Property
|
|
|
|
|
id: 9db37458-4df2-46a5-95ab-307e7f29e675
|
|
|
|
|
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
|
|
|
|
|
author: Jose Rodriguez @Cyb3rPandaH
|
|
|
|
|
status: experimental
|
|
|
|
|
date: 2021/03/15
|
|
|
|
|
references:
|
|
|
|
|
- https://twitter.com/OTR_Community/status/1371053369071132675
|
|
|
|
|
tags:
|
|
|
|
|
- attack.persistence
|
|
|
|
|
- attack.t1505.003
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: msexchange-management
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2021-03-20 07:34:02 +00:00
|
|
|
Message|contains|all:
|
|
|
|
|
- 'Set-OabVirtualDirectory'
|
|
|
|
|
- 'ExternalUrl'
|
|
|
|
|
- 'Page_Load'
|
|
|
|
|
- 'script'
|
|
|
|
|
condition: selection
|
2021-03-15 04:33:47 +00:00
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
2021-03-20 07:34:02 +00:00
|
|
|
level: high
|
