Merge branch 'master' of https://github.com/SigmaHQ/sigma

rules/windows/file_event/win_outlook_c2_macro_creation.yml

@@ -0,0 +1,24 @@
+title: Outlook C2 Macro Creation
+id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
+status: experimental
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. 
+references:
+    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+author: '@ScoubiMtl'
+tags:
+    - attack.persistence
+    - command_and_control
+    - attack.t1137
+    - attack.t1008
+    - attack.t1546
+date: 2021/04/05
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:        
+        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
+    condition: selection
+falsepositives:
+    - User genuinly creates a VB Macro for their email
+level: medium

rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

@@ -4,9 +4,9 @@ status: experimental
 description: Detects potential COM object hijacking leveraging the COM Search Order
 references:
     - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
-author: Maxime Thiebaut (@0xThiebaut), oscd.community
+author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2020/11/28
+modified: 2021/05/01
 tags:
     - attack.persistence
     - attack.t1038 # an old one
@@ -20,20 +20,26 @@ detection:
             - 'HKU\'
             - '_Classes\CLSID\'
             - '\InProcServer32\(Default)'
-    filter:
+    filter1:
         - Details|contains: # Exclude privileged directories and observed FPs
             - '%%systemroot%%\system32\'
             - '%%systemroot%%\SysWow64\'
-        - Details|contains|all:
-            - '\AppData\Local\Microsoft\OneDrive\'
+    filterOneDrive:
+        - Details|contains: '\AppData\Local\Microsoft\OneDrive\'
+    filterOneDrive2:
+        - Details|contains:
             - '\FileCoAuthLib64.dll'
-        - Details|contains|all:
-            - '\AppData\Local\Microsoft\OneDrive\'
             - '\FileSyncShell64.dll'
+            - '\FileSyncApi64.dll'
+    filter2:
         - Details|contains|all:
             - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
             - '\Microsoft.Teams.AddinLoader.dll'
-    condition: selection and not filter
+    filter3:
+         - Details|contains|all:
+             - '\AppData\Roaming\Dropbox\'
+             - '\DropboxExt64.*.dll'
+    condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 )
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
 level: medium

rules/windows/registry_event_write/win_outlook_C2_registry_key.yml

@@ -0,0 +1,25 @@
+title: Outlook C2 Registry Key
+id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
+status: experimental
+description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
+references:
+    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+author: '@ScoubiMtl'
+tags:
+    - attack.persistence
+    - attack.command_and_control
+    - attack.t1137
+    - attack.t1008
+    - attack.t1546
+date: 2021/04/05
+logsource:
+    category: registry_event_write
+    product: windows
+detection:
+    selection_registry:
+        TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
+        Details|contains: '0x00000001'
+    condition: selection_registry
+falsepositives:
+    - Unlikely
+level: medium